Malware Analysis Report

2025-08-06 03:37

Sample ID 230923-yayjwabh49
Target fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe
SHA256 fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc
Tags
dcrat fabookie glupteba redline smokeloader up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan healer xmrig trush miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc

Threat Level: Known bad

The file fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe was found to be: Known bad.

Malicious Activity Summary

dcrat fabookie glupteba redline smokeloader up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan healer xmrig trush miner

RedLine

RedLine payload

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

xmrig

Windows security bypass

Detect Fabookie payload

Glupteba

Fabookie

DcRat

SmokeLoader

Detected google phishing page

XMRig Miner payload

Downloads MZ/PE file

Modifies Windows Firewall

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Uses the VBS compiler for execution

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

Runs net.exe

Uses Task Scheduler COM API

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 19:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 19:35

Reported

2023-09-23 19:38

Platform

win7-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe N/A

Checks installed software on the system

discovery

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-MRR14.tmp C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-4VVEO.tmp C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-CP305.tmp C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-81VPD.tmp C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20230923193741.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000005642857902f21af7bb677f062f42157f44698f0214e0d66cd6ebd38d1e05270d000000000e8000000002000020000000f28011bebceebfe4cfc59b32c36ac0b0cc218f52376b82e24b7fe919139c5e0c20000000f1956b440c7f8b7a608d1ff7864d51d5434b8a6fffe8f88fe485245d8d366b9140000000d6a19899abe288e51aabe138d96b3bf78e4cdb7a4be7954e5bdedf2384cc08079acc125a0967e87e1bdaf98f7b11f965f5fee0a7516f938502a2e73c732bba59 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70b3b77355eed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94611E91-5A48-11EE-B88D-4E9D0FD57FD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94CC3C71-5A48-11EE-B88D-4E9D0FD57FD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000056d0dc725d52cba5f1a0bfa3ec87e07f0e225d10659d9598b57871a088988dd5000000000e800000000200002000000016e452ffeb4d2a2d8be47b4b7ff218a741bdad1807c35c08ae69734098c4a1089000000085772e4adb7963ffebdf7227d70fbffcb159bd4352403e14e20b0aced9329bb5d307b1c59b1c0a16f63369c276e01a4b59090569407ab42aa1c0065906076871de739ac97030b654e123738feacf75777e7e2819618c0f52c7a0ae192c7cd87a2edd7f7a657c56be34d76cc0ae4824326348603c686eb681a46ebd42a985751f0d0bebb50c95b15fbc1a0f8b9f92f067400000003f0ef0cc6db52b0209bbbea0677251c0d6b96e74623d887ed57c3e8ddc297f95e1450959b40006a796fb6bbc2dca58e90929f95381ae5259013a65bf87b18dcf C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9DA8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AB7F.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2864 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2932 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2664 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 2856 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 3056 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 3056 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 3056 N/A N/A C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1032 wrote to memory of 1192 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1032 wrote to memory of 1192 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1032 wrote to memory of 1192 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1032 wrote to memory of 1192 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3056 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3056 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1200 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe
PID 1200 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe
PID 1200 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe
PID 1200 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\Temp\9628.exe
PID 2040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9628.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 2040 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9628.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe

"C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 268

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8D71.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\9628.exe

C:\Users\Admin\AppData\Local\Temp\9628.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\9DA8.exe

C:\Users\Admin\AppData\Local\Temp\9DA8.exe

C:\Users\Admin\AppData\Local\Temp\A344.exe

C:\Users\Admin\AppData\Local\Temp\A344.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\AB7F.exe

C:\Users\Admin\AppData\Local\Temp\AB7F.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp" /SL4 $20266 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230923193741.log C:\Windows\Logs\CBS\CbsPersist_20230923193741.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
MD 176.123.9.85:16482 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 4ff01463-96eb-4645-8928-6eacc7ab7f42.uuid.zaoshang.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

memory/2540-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-45-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-47-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2540-48-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-49-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

memory/1200-54-0x0000000002A90000-0x0000000002AA6000-memory.dmp

memory/2540-55-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D71.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\8D71.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\9628.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/2104-127-0x00000000FFCF0000-0x00000000FFDC9000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\Cab9916.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

\Users\Admin\AppData\Local\Temp\9DA8.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01cea5c910e687b64da9b47fdabf9c74
SHA1 a91e355c29f46bc2ddde4acef86eba857a33270b
SHA256 ae85bb69569600e996be82adcb6ea79c305cf4d1c653d9083c43da9e998679d1
SHA512 ca1a1be1d45bce5d0038dddf5306a090a48a0c865a4ba36bfb2c79949be03bf5dd9dd6b115c8c3c1df46fae727697189d93872eb7038e77765e05295a720dead

C:\Users\Admin\AppData\Local\Temp\Tar9F6C.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\9DA8.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f5d0e77f7d1135b9450aa1d82f8c2f7
SHA1 b7d62c246e6b0e1cf27cf2b420a9a22b3bf3a66c
SHA256 d08614d60feb4fee7846621c19aed344245ad7adafc957e7552fe53df44bb947
SHA512 3c1a0a1fb99b7314d4874f45196f420a86d0e6578378b01cb244a3492ef3a18ea89bc6b711f8a67730d3dff85f747d1398736f6c96a837255dfeb89cb204dd62

C:\Users\Admin\AppData\Local\Temp\9DA8.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63097580e8a2ea619645dce3d194cc2b
SHA1 e62c36b04a5e0d13bbd3184d24a161d8732d9112
SHA256 c61e007522d9c17b376e86edf65236034da3380f0ef8f284cca8c7505a8cc097
SHA512 ec1796085f2ce24711081dd5a97e7d3f341877d2a7e76ca80ef4f392552e06b164dd84a0dd2cec0c29090c4c2463040cbd1cc42e36ca517c943356ee96fb7fb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63097580e8a2ea619645dce3d194cc2b
SHA1 e62c36b04a5e0d13bbd3184d24a161d8732d9112
SHA256 c61e007522d9c17b376e86edf65236034da3380f0ef8f284cca8c7505a8cc097
SHA512 ec1796085f2ce24711081dd5a97e7d3f341877d2a7e76ca80ef4f392552e06b164dd84a0dd2cec0c29090c4c2463040cbd1cc42e36ca517c943356ee96fb7fb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 819b1bab327893893b62024dcd0969f1
SHA1 054ddc72b57a46cb6cd04efb2616706e34fafe2a
SHA256 9205098a81ec7f71da6da5718fe83557f6988370a65d9e5dc1861f6730a13b80
SHA512 588a3a7f43ab4659ccee61a1aa9a8264cd189747447e27932b141f9154c276f7dd283aa89f3807d4008c03018575afa422454848586bba13e7b6ad327bdc4c75

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{94611E91-5A48-11EE-B88D-4E9D0FD57FD1}.dat

MD5 e17329a62d6aafd3797fdac61c32c10e
SHA1 e331e0dc2de8a83a58417a09f1045b298d07394f
SHA256 64153234578b8b6aaeb587deccfe4ddb3f544e6099ebf73fc97f3db41c7971b1
SHA512 961a7c2d11fd9dbe32d7c9221e775309750f8d63f6dde0e371578aab815777194e91ec8a49203b88b835960973097fa7859574beb28027d1a150e4f20bf425b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f8c1353aa46b9cd73dbaf08f920eca
SHA1 da86954f824b3da2b9a2f2d63805cc8ed8678ef1
SHA256 d2d4434a508b5037217260f5510309fc45fafb27e55330430df6bea8545012a1
SHA512 836ec69809bab4dc6324ba954c02cb3b4d17611e477b4e413cd457ecc959a41e204532f4b2f70cfb48fb6b195d7deefecc0737fee52ed9b53af252fa75129636

C:\Users\Admin\AppData\Local\Temp\A344.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\A344.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/1356-388-0x0000000000020000-0x00000000001F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35953c247b392e5a4950b42a96c7faad
SHA1 e47e551777e4ba29ecbbe2ca7f65acf57b23b94e
SHA256 3951fdf2198a4388c34f97c0744cddef3d51cd6317974ff12bb801cbb0491fb8
SHA512 64cb676b54c8fdf016e6e0e6e4ba38950925f46b435e318a92201f5c35036bc397ca55e76e90992c9ed69d4b94a16f16e57113e7b572b4b96fa20f59b34b8dbc

memory/1356-402-0x0000000000020000-0x00000000001F8000-memory.dmp

memory/1752-435-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1752-437-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1752-442-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1752-447-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1752-448-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1356-449-0x0000000000020000-0x00000000001F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 819e4055f54ff77abcd93be20e43dd31
SHA1 20ac2cec0a359efdf9c05e41f51e595b27b7d9e3
SHA256 888181f9a2bbf13d2c6cbc2f8a63c04bc0db7cb9f4957915d99f31134f099b10
SHA512 fb432d84c285602c6df89ddb358a5a5d88482716469543bb9d1109aaf1669d463002658964beb84422bf3686fb6807b3e2fbf726941c842a4634c35b5699465e

C:\Users\Admin\AppData\Local\Temp\AB7F.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Temp\AB7F.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/2292-474-0x0000000000E80000-0x0000000000FF4000-memory.dmp

memory/2468-475-0x0000000000890000-0x0000000000976000-memory.dmp

memory/2292-477-0x0000000070D50000-0x000000007143E000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2292-537-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/3000-538-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2468-546-0x00000000024E0000-0x00000000025C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2468-548-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/2104-549-0x0000000003570000-0x00000000036E1000-memory.dmp

memory/2104-550-0x00000000036F0000-0x0000000003821000-memory.dmp

memory/1752-552-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/2468-551-0x000000001BB30000-0x000000001BBB0000-memory.dmp

memory/3000-554-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2004-553-0x00000000002B0000-0x00000000002B8000-memory.dmp

memory/1752-555-0x0000000007460000-0x00000000074A0000-memory.dmp

memory/2004-556-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/2468-559-0x000000001B9C0000-0x000000001BA90000-memory.dmp

memory/2468-560-0x00000000006A0000-0x00000000006EC000-memory.dmp

memory/2004-561-0x000000001A790000-0x000000001A810000-memory.dmp

memory/1924-583-0x0000000000220000-0x000000000027A000-memory.dmp

memory/1924-584-0x0000000000400000-0x0000000000469000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-ESTAF.tmp\is-6J8FI.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\AB7F.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/1924-601-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/1924-602-0x0000000007070000-0x00000000070B0000-memory.dmp

memory/2468-612-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Y4CXW2F\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 0c18bb137f76ba411c5141d2a9519135
SHA1 f5ffd440fb073a2a4d3af78a7f1bd0d35d6781fe
SHA256 b952bbaec74d9fa558fa3badc0dc4c7995644a7c55f1f6c0b5e40f2bff79f904
SHA512 fabd500085cb99ca2d3c557764e429989514679ac65e6e4e71143cbde4836ab0188feceeefe5faf7e043a6155100330e242d388883d58dda66ed3a249fb3221a

\Users\Admin\AppData\Local\Temp\is-993AE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-993AE.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-993AE.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/2104-749-0x00000000036F0000-0x0000000003821000-memory.dmp

memory/1752-750-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/3000-752-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1752-753-0x0000000007460000-0x00000000074A0000-memory.dmp

memory/2004-766-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

memory/2348-768-0x00000000036F0000-0x00000000038E1000-memory.dmp

memory/2804-769-0x0000000000DE0000-0x0000000000FD1000-memory.dmp

memory/2804-771-0x0000000000DE0000-0x0000000000FD1000-memory.dmp

memory/2804-770-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2804-772-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1924-774-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/2804-775-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1924-777-0x0000000007070000-0x00000000070B0000-memory.dmp

memory/2116-778-0x0000000000C40000-0x0000000000E31000-memory.dmp

memory/2116-779-0x0000000000C40000-0x0000000000E31000-memory.dmp

memory/2348-780-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2116-797-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2348-796-0x00000000036F0000-0x00000000038E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 892b71ad14b1e51d0f7acb7bfc6e3ea3
SHA1 5da41b55380d74ebe03d215572a7d259aa9ff41e
SHA256 8215a37f3bb40948d94f0688eaad38ca36c3e5275910cdf2594bae01b3f42bab
SHA512 f01f5a595932113af821ee635541a18e37adbca9b1a8bee5ede73afdc7954f2be047f80d93b992bc8da5d84441fb71517550a2e60c60d16b83adcb754c44c415

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acd3817d23beea94ba48af28fd70a4d4
SHA1 c623c0411524baadaf93a155bb530484c2aed4f4
SHA256 5fe3a9a6e14c524c38a2f3d6a4706a2568f26796f462970fa6797319e5006974
SHA512 0c47d7fe01888dd8a3fe375e53c0be2b2f9b4db55fedb4b7947d333640bc42a8294c541cf18f1775409d14825ec538a40a2b8d8b05cdfe8bd5762969f6e10253

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e975352c44840140caf2d6cf8de80b23
SHA1 ad54674771fcb90e457c676c74be3842527771f0
SHA256 e194337eb8a8f63c217ac5b96b1097d17b0748b14a1fd0e0a82d6c4daaaa455b
SHA512 28904ef450e551047024addf85f47d8c7ecb2126d5e61a6035a6512dfc8f1328c0f22af0a102e8d2671eb621d02a5159cad2dba5f1acedcb943bdb01077eacfa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 653afd85bda1754f372cc09c66c87326
SHA1 9dec92ef21d5f3f1fb66065a31d7d0c7ea137d36
SHA256 e828ce88cbe9f8bf545c5836fb1aa1c5ebafe6712155ac6d0fb5d4400bf7fc67
SHA512 f226f1a40df9c58b7deccb5fe1f209240250db732151a983273aa87b8f7c12dd96d54522363e5f63e7d5aed22a9e1cf95ede2c6ae6861e71e9d107cc1a5af1e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48cfe5c51f26daff3049f5931a0736d0
SHA1 bb7c8edd3c37a17e25fef98794b17ca8a341964b
SHA256 2268cf319ddba5178f9921744a02c8a562386013bebfc0289c6f8a50fa961be5
SHA512 3da5ab3fa0c96728041afad19a19271e858ddabc51f6f1ddc3bde424dd31d9128de08de112a3cffff53ac4e44e849a8b5cf14ab879ef2a0cdf0f4186cff916f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a688d3e6cf17d51730e6643c80db91c9
SHA1 3442e6dd70fbb97c0318c67269986c01001b1e8f
SHA256 2b830bd84220ccb7a9e2a0b5465f7eb844f3b2914afbb36144c3caacded5aa8f
SHA512 302d47b310bc79121550b904ef29b04a09be7e5721ce520183b9b6a1f2b7e26e1036202f0640d3153e307365bb034a1575b3c4a61a82e2b084654b0c872dba38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60c8e3f19b3947491626107b6f4f719a
SHA1 a585ff61e0980af91363ff49d72e6301e7e8c9a2
SHA256 b7c14452a9af728c82dff140ce71d27075403d13bbbb3353ee8fa07ec70c435b
SHA512 2b353b9f402bffbd35ada4e74114ee36303992c53253d99fb4ee9d5c68ff406d2eb8d82ea408b6d79f5797695d734f8ab88670cb58bd58dec2cf7e190c35202c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9f5adb472a681cf66b9be087d3ee4b1
SHA1 865ed99a5ad9687044526e50de6d5a9436b75fec
SHA256 24eab52e462a11b932084b9dc5827c607b0abf3dae5049a5ec014ac54f33b447
SHA512 ee5f54014619b80426a593814d0ad0ecd3a2a53ab8b843a7415cab7f273937cf9a7431baf2f727e9b91857cd32d707087b63f4a6a04b338143821ce33a2ef200

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91c82e10e76482e1322c64daead6159a
SHA1 feea0a821941a17c08dc4d570d66d37a82db6f97
SHA256 327d11c65716ce5105ad2301e2b11ba08a92596f5885667e319a51c8ab7702bd
SHA512 fd1e5f8c972ed674e9e64616d87328dade8af70259c11de33d1f91bd618a13711b4e489fd4dc4e3586d23b2e6d8923323fddba27c92328bae15546dd5fc50aad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e24f71048945d75780b9b57f7aeb6134
SHA1 8c8298b4a4afc016c8e3aef0c2e1800de41d6f83
SHA256 e881edf0aa675b773be1b4865cbf55c82ddb04a3e29c4c87825c4e339fca9394
SHA512 52e2304de22ebacc58697afccee301dcec2b42cd721174a22becaec8da80b20d3c465703c77241013bfff529c9a467485f1e1dd3ab07a5a352c7ff436970748e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f780d4c8dd983486ed0413270761e8ff
SHA1 3953e3666e7ed387e7b9a1d17e36a987b594744b
SHA256 1df3b3169fe66b5a10eb6facb08c204a08853764aed8fb44a11a507798172c59
SHA512 6e34fe0b026048f3bdaaf84fbc28076e7aaa76e874d65549fe7e32ce0ca7ac252c74863872f64cbf84dbfb50dcbb12c3d0477fd332cd7dd96c5ad4cbe3b46c66

memory/1232-1213-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/548-1214-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1232-1216-0x0000000002AA0000-0x000000000338B000-memory.dmp

memory/548-1218-0x0000000000400000-0x0000000000409000-memory.dmp

memory/436-1219-0x0000000000220000-0x0000000000235000-memory.dmp

memory/436-1217-0x0000000000240000-0x0000000000249000-memory.dmp

memory/548-1220-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2348-1221-0x00000000036F0000-0x00000000038E1000-memory.dmp

memory/2116-1222-0x0000000000C40000-0x0000000000E31000-memory.dmp

memory/1232-1223-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1924-1225-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/1752-1226-0x0000000070D50000-0x000000007143E000-memory.dmp

memory/1232-1227-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2348-1228-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1232-1230-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1232-1231-0x0000000002AA0000-0x000000000338B000-memory.dmp

memory/1200-1232-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

memory/548-1233-0x0000000000400000-0x0000000000409000-memory.dmp

memory/112-1238-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/112-1244-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2116-1246-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2504-1247-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1932-1251-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1932-1260-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2504-1316-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2504-1317-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2116-1333-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2504-1338-0x0000000000400000-0x0000000000D1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-23 19:35

Reported

2023-09-23 19:38

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-KO89B.tmp C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-EL3UL.tmp C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-N4SHF.tmp C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-V16OP.tmp C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7CDE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 1384 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 1384 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 4936 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe
PID 4140 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 4140 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 4140 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe
PID 4480 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 4480 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 4480 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4480 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe
PID 4480 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe
PID 4480 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4140 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe
PID 4140 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe
PID 4140 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2872 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4936 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe
PID 4936 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe
PID 4936 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2648 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1384 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe
PID 1384 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe
PID 1384 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe
PID 3196 wrote to memory of 472 N/A N/A C:\Windows\system32\cmd.exe
PID 3196 wrote to memory of 472 N/A N/A C:\Windows\system32\cmd.exe
PID 472 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 472 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 472 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 472 wrote to memory of 428 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4392 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4392 wrote to memory of 2712 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe

"C:\Users\Admin\AppData\Local\Temp\fc18db83372bbba3bf7022910d2c5e8bbec0b1fa7afaf0c63f3be478e0ae9acc_JC.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4332 -ip 4332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2648 -ip 2648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DE8.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd202746f8,0x7ffd20274708,0x7ffd20274718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd202746f8,0x7ffd20274708,0x7ffd20274718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1804478596689434835,11630353651518145751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1804478596689434835,11630353651518145751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2852 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\79EF.exe

C:\Users\Admin\AppData\Local\Temp\79EF.exe

C:\Users\Admin\AppData\Local\Temp\7CDE.exe

C:\Users\Admin\AppData\Local\Temp\7CDE.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\83B5.exe

C:\Users\Admin\AppData\Local\Temp\83B5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\88C7.exe

C:\Users\Admin\AppData\Local\Temp\88C7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp" /SL4 $A0182 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2724 -ip 2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1444,10949856936797295218,13017621038109217244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 804

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
MD 176.123.9.85:16482 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2773778.exe

MD5 5635bf6ef0565d1ab6c5fb6692b03743
SHA1 f6d43137b12db66dbb92c00a57c17169a479e925
SHA256 61431f65f57db278c6d7581b44a34513e9ef9636fdd564ccfe5e28d5198f89ca
SHA512 98433abfc72875f91816875701f1048f75eb82f2ece22678ea9f2216d174bf5b26e98710bb4dc87780824d6a812a6a1e88b72d536df2a0dd2948e1750fda4df8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8927818.exe

MD5 229e086ea1c4e11e2f278dbab0ad1742
SHA1 6604438c9080672fbbdbb2618f53633ff4786464
SHA256 6f91a369c659c9171209149a75ae40ca61ba5187ee4b146f42c5af2e4d57266a
SHA512 428b563dedc986d6c44a5fd335d3b307a50604ede251b4cd33fb4b18d9e1ab4cc81a16fdb7d19359312edb0666487f134fd8fbe5b1768bb453f17c3c880ff6cb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4300333.exe

MD5 c6ff8d2f21c615bb33e8ca460753226a
SHA1 0d7530564176d87a459b33950741385c763eb47e
SHA256 7cd25a8e8873de4e26e04ccfa8e11b3390191b91134a41ceddb80f9691d0fb38
SHA512 60fa3a90228ddf53810d5c2d5d806c620f666ec13f2df1721ebf61f3de2e13aeeae9bb82cc78915538b3855adc2e72fc99a2d8b3f3118c62f512635ce92e450d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9123239.exe

MD5 09486d2a5ef6f89b047e236ccf7d8291
SHA1 71ff71a7527a13fb70f53f2049b20036623ff696
SHA256 7e59c53351e5fbc23a16963d1664b52c914617951f7cba8bb1001eb7858c0cc6
SHA512 191866203f5ed47f8b385eed4f142185982dc05afa2dbdd8484744c44113ae9320de5a47caa286d8660098007a1cd53968f36f093e4c9e83a308607ecf723cf5

memory/1028-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1028-29-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe

MD5 1f3c31452984f63c3f34e8b4efbf4eed
SHA1 9f6d64fe11bf1eb19c7d20c2ef3779a2da672430
SHA256 71edc9399d8edb4231337ac202e8e64b179fc6885eb7526309a15cd9b63297cf
SHA512 43404de7702682a5a8dbf250e867f2cc6dbf0e20f06dfb9a05c7b67230dd87dee8136e1ef317c27588437d67bcb5f40ab4e66deb3c36a55316991a595eab839d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7736190.exe

MD5 1f3c31452984f63c3f34e8b4efbf4eed
SHA1 9f6d64fe11bf1eb19c7d20c2ef3779a2da672430
SHA256 71edc9399d8edb4231337ac202e8e64b179fc6885eb7526309a15cd9b63297cf
SHA512 43404de7702682a5a8dbf250e867f2cc6dbf0e20f06dfb9a05c7b67230dd87dee8136e1ef317c27588437d67bcb5f40ab4e66deb3c36a55316991a595eab839d

memory/4620-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4620-34-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/4620-35-0x0000000002E90000-0x0000000002E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe

MD5 c04d1d7fdb1bf28fd4dca1bb1f92afcb
SHA1 046e6dfaf73e7477175be6d263e82f0f729d6aa3
SHA256 8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49
SHA512 bd5bafcad34d7d7750cd131edadce3673779258c225de5729547793d771186335d3749cfd71d76a37647c4a85fc061bde5f01c5bcc1510ba039706c9a67598bb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8448418.exe

MD5 c04d1d7fdb1bf28fd4dca1bb1f92afcb
SHA1 046e6dfaf73e7477175be6d263e82f0f729d6aa3
SHA256 8c6685db37af4197e732479abbd02922d92baca08fd07b5bddd4836d80ad8a49
SHA512 bd5bafcad34d7d7750cd131edadce3673779258c225de5729547793d771186335d3749cfd71d76a37647c4a85fc061bde5f01c5bcc1510ba039706c9a67598bb

memory/4620-39-0x0000000005C90000-0x00000000062A8000-memory.dmp

memory/4620-40-0x0000000005780000-0x000000000588A000-memory.dmp

memory/4620-42-0x0000000005560000-0x0000000005570000-memory.dmp

memory/4620-41-0x0000000005530000-0x0000000005542000-memory.dmp

memory/4620-43-0x00000000056B0000-0x00000000056EC000-memory.dmp

memory/4620-44-0x00000000056F0000-0x000000000573C000-memory.dmp

memory/3196-45-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/1028-47-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4332-49-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4332-50-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4332-51-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4332-53-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe

MD5 cfd263d1eed0794bd50f7f443720465b
SHA1 8c313bdaa7076e7c0eb926e1720d05c73f81400c
SHA256 12b7b6504587cbca7517fe25a26e4bc730954686c8f61a6525cd9a3520804dbe
SHA512 b0da4f2d4e770dac0661087709a17085c36293a2786a537afb1179514142ddc8a671fc96ddb103e4e4fe5da0690c116d8acb3f1f72754f2a400f0c140c9a14a3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1550306.exe

MD5 cfd263d1eed0794bd50f7f443720465b
SHA1 8c313bdaa7076e7c0eb926e1720d05c73f81400c
SHA256 12b7b6504587cbca7517fe25a26e4bc730954686c8f61a6525cd9a3520804dbe
SHA512 b0da4f2d4e770dac0661087709a17085c36293a2786a537afb1179514142ddc8a671fc96ddb103e4e4fe5da0690c116d8acb3f1f72754f2a400f0c140c9a14a3

memory/3364-57-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3364-58-0x0000000073CB0000-0x0000000074460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe

MD5 ab038ed952c54ac763e06cf5971e3c51
SHA1 6c1b1d47f37cbe731b8f144048c0c10a76a1ac34
SHA256 d4ebde938b47b4c79a55b7b0460d11aa0360dcc49e43b0094660fdfe9f67cae1
SHA512 5cc45bdcebaccf08a1d97e13ab5923e17d9c26abd1314e83689126f4b9eb5a6af95a41cedfce4200d0fadfcc10aad99493650485cbf8005787a4064b873a7404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e4501546.exe

MD5 ab038ed952c54ac763e06cf5971e3c51
SHA1 6c1b1d47f37cbe731b8f144048c0c10a76a1ac34
SHA256 d4ebde938b47b4c79a55b7b0460d11aa0360dcc49e43b0094660fdfe9f67cae1
SHA512 5cc45bdcebaccf08a1d97e13ab5923e17d9c26abd1314e83689126f4b9eb5a6af95a41cedfce4200d0fadfcc10aad99493650485cbf8005787a4064b873a7404

memory/4620-62-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/4620-63-0x0000000005560000-0x0000000005570000-memory.dmp

memory/3364-65-0x0000000073CB0000-0x0000000074460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DE8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_428_SBGMHUHJCQLCQIAL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_4392_QBXMDZMJMYGQIOHC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5692576130fe74b956191f258824a9ee
SHA1 d3ce17af73105b2ad6bbe863126803209e052524
SHA256 93613d5aa3a08deb267bd2e1754f5e022cbefe98584bd9c3a43a3510979786f8
SHA512 03d1727ff0cf3caefb1ec9a7fa98cac323e1f9324866ac6a4b4e81eb41d4b54385f248d41138e72864ed9140f73891ca72e4878cba6e6727e176f766704ea534

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6dfdece232d07c56a1fec8c68677802b
SHA1 8d278c2069f9471b761f727e07649b325002f468
SHA256 b4125f0864439057eae3c0e72a18038f394e000e6e043c9563fd82d01c07dbd1
SHA512 2245ce3beca01a9222a17fa30ce92799393305cc6c84df354792f7cf1dd118a9e6c3da635dd3558a5768b3e6edc10054def26c5519e4fca0d2de08d390bf9089

C:\Users\Admin\AppData\Local\Temp\79EF.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\79EF.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\7CDE.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/4388-246-0x000002607B6B0000-0x000002607B792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4388-251-0x000002607BED0000-0x000002607BFA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4492-253-0x00000000004B0000-0x0000000000624000-memory.dmp

memory/4492-254-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/4388-256-0x000002607BFA0000-0x000002607BFEC000-memory.dmp

memory/4388-250-0x000002607B6A0000-0x000002607B6B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83B5.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/4932-261-0x0000000000320000-0x00000000004F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83B5.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4796-236-0x00007FF604BE0000-0x00007FF604CB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4604-278-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/4916-279-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\88C7.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/4932-271-0x0000000000320000-0x00000000004F8000-memory.dmp

memory/4388-234-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

memory/4388-224-0x00000260798B0000-0x0000026079996000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\7CDE.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4416-311-0x0000000000130000-0x0000000000138000-memory.dmp

memory/4932-309-0x0000000000320000-0x00000000004F8000-memory.dmp

memory/4492-315-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/4416-316-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-IOUF9.tmp\is-S4GBD.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/4604-318-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/4388-336-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

memory/4604-338-0x0000000007AB0000-0x0000000008054000-memory.dmp

memory/4796-356-0x00000000032A0000-0x00000000033D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ee4efdd501336382b20d26936969f9bf
SHA1 69a06f8e21ad52f44ccb1d164b9e22be6365b946
SHA256 e368ff546944165b599bede30f7298cec0d483ef5248f011d0e78fd815010f91
SHA512 041f3ea8a29c94960591d72b705eb904b058520ee0a70e1e2254e4da8bab2086b33de7cbfb1e26d70389a6a02d2842fcf01d0d84c4dc62d0792135751bcab31e

memory/4388-367-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

memory/2840-372-0x000001CA53460000-0x000001CA53562000-memory.dmp

memory/4604-371-0x0000000007780000-0x000000000778A000-memory.dmp

memory/2840-385-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 11cf6d30ad0e964cedf637c026524de2
SHA1 e3ae3ab7de4cbb36493ed67005b6df7381643a3e
SHA256 4269a3941d8eea6dac499e044572c16890a70684f5c75eed8f42aaab03ad7525
SHA512 87512b02083e09cc77f6d756b7deb818ecbf703d7440e93572333ab6adae53a16f6e1cd20111120904c696effae871a1e9ea9647b026c3fb0c313c0bb354bee9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb900aecc6d2d49a9fab7d6d1a013cd5
SHA1 7cc0607c46a763d98ac7d66378d6ca0fe67d9a38
SHA256 64c46187b6f0679294f31ef3fca4939fd9b39665d22cc6c26385b6ee240e3755
SHA512 714d97456abc1e504e760a89f05afd05380fef1d29468ec96d7572a88c3489679976befbfabbe74ae18b4a2ddd51299d0015420e38a11ef4ff7da2056edf6433

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 08cbb77e84d413dfbb5e0a6d41671a9c
SHA1 b1092176e65f4d63f7cbb98f6a7e503dbf70ffeb
SHA256 bdec1d08f20c2ac4167c23bae35bcf63357a10db9f367dedf4bd45572c2b8df8
SHA512 07a07341d3eb790d27bff1a6447377a163077124dd1d6c055b6a2e2b724626d3dcc3dc15e0c31376a68bda70800e8f03941fa8ae5968d576bce6269be6fc9176

memory/2724-399-0x0000000073CB0000-0x0000000074460000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f18a2a6fbf59f31c05c8ce70340e2326
SHA1 276193cf95547c136afdd1f8bf552f714f63c7d3
SHA256 d9ead12119a9723a95ded9f575e7dfb07aeabe7f13b3813ef1da56b1bb122026
SHA512 59da22954875b535d28b656a86dee8fb3386fce5c79fa2ada6b46faa2c29927d6a11c4be894472846dfd31a252804b60c45d4b95dca1b687efdde361db2bf395

memory/4604-417-0x0000000007810000-0x0000000007820000-memory.dmp

memory/1388-429-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d24e1047c6d1c3397e56cdcb9f41bfb4
SHA1 4da13529007a287fe742d7e0812d469ec12ddc09
SHA256 25d459bc3dbe5d51a64fc4882be9ab371156595a9ccd5d6ca344eb6f681041f8
SHA512 e496e25049a7df585796534c371ec1c298f97ceb66a8a8fdd45aba26dee0a3e496c7ad2d142e14de7cb8796befae6f4f43e55a264fb0d2f9a942d4db00c7b2f5

memory/3204-456-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2840-455-0x000001CA3AD10000-0x000001CA3AD66000-memory.dmp

memory/2840-454-0x000001CA39360000-0x000001CA39368000-memory.dmp

memory/1388-398-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2840-369-0x000001CA393F0000-0x000001CA39400000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5692576130fe74b956191f258824a9ee
SHA1 d3ce17af73105b2ad6bbe863126803209e052524
SHA256 93613d5aa3a08deb267bd2e1754f5e022cbefe98584bd9c3a43a3510979786f8
SHA512 03d1727ff0cf3caefb1ec9a7fa98cac323e1f9324866ac6a4b4e81eb41d4b54385f248d41138e72864ed9140f73891ca72e4878cba6e6727e176f766704ea534

memory/4796-366-0x0000000003120000-0x0000000003291000-memory.dmp

memory/2724-346-0x0000000000400000-0x0000000000469000-memory.dmp

memory/2724-345-0x00000000006A0000-0x00000000006FA000-memory.dmp

memory/2840-339-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4604-341-0x00000000075E0000-0x0000000007672000-memory.dmp

memory/1948-340-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4416-337-0x000000001ADF0000-0x000000001AE00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AAKTN.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-AAKTN.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-AAKTN.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\88C7.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/4604-459-0x0000000008190000-0x00000000081F6000-memory.dmp

memory/3204-461-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c966b2ccc1e5735bb91177fe92a00ecd
SHA1 3709c15ff278e84fe5b5bb30f24d259a5ab54661
SHA256 cb41324daf4795bd7e2d4108a51f2a963a326c0fe8c6436f49a85168a6b8492f
SHA512 b8e71e51e183c802dc214cb59f8554db9450d2c84d35d743664456f8124186e36c5725e20406d3debfcf160ef93435c3d902e6a93403e7288c12a9505b4cfd17

memory/4916-482-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/1948-544-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2840-545-0x000001CA393F0000-0x000001CA39400000-memory.dmp

memory/4416-546-0x00007FFD1DA70000-0x00007FFD1E531000-memory.dmp

memory/4604-547-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/2984-548-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4416-549-0x000000001ADF0000-0x000000001AE00000-memory.dmp

memory/1288-552-0x00000000005C0000-0x00000000005C9000-memory.dmp

memory/1160-551-0x0000000002AB0000-0x0000000002EA8000-memory.dmp

memory/1288-550-0x0000000000560000-0x0000000000575000-memory.dmp

memory/2984-554-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1160-553-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1160-555-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/4796-559-0x00000000032A0000-0x00000000033D1000-memory.dmp

memory/2724-557-0x0000000073CB0000-0x0000000074460000-memory.dmp

memory/1160-572-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_03mmfl5a.xvl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2984-596-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3196-595-0x0000000002C90000-0x0000000002CA6000-memory.dmp

memory/1160-608-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/892-612-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-615-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-618-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-630-0x000001A00C110000-0x000001A00C130000-memory.dmp

memory/892-632-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-634-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-635-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-636-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-637-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3204-642-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3204-655-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3204-657-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/892-662-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/892-663-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3204-665-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3204-668-0x0000000000400000-0x00000000005F1000-memory.dmp