Malware Analysis Report

2025-06-16 02:09

Sample ID 231002-j1cyjagc9v
Target 298501e26bfe53d37eef3db9e1d4f0f0.exe
SHA256 2498f3731f28ee9ecd69110ee8ca909b4bf86ca07011e9f015f71a0cbe48e54b
Tags
amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan genda larek microsoft
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2498f3731f28ee9ecd69110ee8ca909b4bf86ca07011e9f015f71a0cbe48e54b

Threat Level: Known bad

The file 298501e26bfe53d37eef3db9e1d4f0f0.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan genda larek microsoft

Windows security bypass

Detect Fabookie payload

Detected google phishing page

Fabookie

Glupteba

Modifies Windows Defender Real-time Protection settings

RedLine payload

Amadey

Healer

DcRat

Glupteba payload

SmokeLoader

Detects Healer an antivirus disabler dropper

RedLine

Mystic

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Modifies Windows Firewall

Windows security modification

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Manipulates WinMon driver.

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 08:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 08:07

Reported

2023-10-02 08:10

Platform

win7-20230831-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6EE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C5F5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gerrbue N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gfrrbue N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gerrbue N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6EE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B86D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9BB3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-IAQ3P.tmp C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-UVPL5.tmp C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-9PVT5.tmp C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-7CHRF.tmp C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231002080841.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gerrbue N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gerrbue N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gerrbue N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a192ab07f5d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000a4e78bf8625a8995f8c51334f19e611baa03090b2e8dd2bae434f220e4bc99a7000000000e8000000002000020000000553fae4ce2d621332a22bed437cbd9b1bd71a0e5bb7081073166ffce050780e32000000012e778cdec4e2ba28136e9c5c30642b384e2d377c4535fccf4a2a5c73de7c40540000000e0c8c17666b31d634f9212719f97e9e169d39a7806c8e32cee5ae0e8129eede451d22126c22fc946c70805fb4cd2a67f9dba2b7c53b3763b99dbe5e1cff5d3d0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000e4147e7065fbbe14eba62187e9b9caec1ad0a247e2d373d02dee4ff201d5e54a000000000e800000000200002000000054798c6b60b6cdaca9826633094ee95e6d176f5e8dcd9721969fd4226a1be2b290000000d44094e13557a8b01578f20a1cb7deaec1a4355a896ddfd6dda2771892f411cd3c23a0e1687c59359c4bba6bc3b3ac866d12637a547d00ac7a893697877366b479b8ac60f2e649c9bf0cf0a4b12f0675ee0e1f9a9bddaa949066c5dc953a18f4ae9cefc5a14b5eeb708f5b1b17d6ab187896ecb37cde3644ebed5a6c3bc58af771993899c7ad93046cf20f2049609f1e40000000e3724c7f67c3a3527ec13bfcaeb59a273db0449659aae992cb75937f6ffbb9e316aa7182e91db8e6f3c16025d3789a2704ec3b54ae8ab7c01dbadb4423fa95aa C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402999066" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D47DA2B1-60FA-11EE-A967-7A253D57155B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gerrbue N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A577.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 1648 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe
PID 1280 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe
PID 1280 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe
PID 1280 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe
PID 1280 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1648 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\9BB3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1676 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 1280 wrote to memory of 2512 N/A N/A C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2512 N/A N/A C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2512 N/A N/A C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2728 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9CDC.exe C:\Windows\SysWOW64\WerFault.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 872 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2532 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 1280 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A103.exe
PID 1280 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A103.exe
PID 1280 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A103.exe
PID 1280 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\A103.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe

"C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 76

C:\Users\Admin\AppData\Local\Temp\9BB3.exe

C:\Users\Admin\AppData\Local\Temp\9BB3.exe

C:\Users\Admin\AppData\Local\Temp\9CDC.exe

C:\Users\Admin\AppData\Local\Temp\9CDC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\A103.exe

C:\Users\Admin\AppData\Local\Temp\A103.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9EF0.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 132

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\A577.exe

C:\Users\Admin\AppData\Local\Temp\A577.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\A6EE.exe

C:\Users\Admin\AppData\Local\Temp\A6EE.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 280

C:\Users\Admin\AppData\Local\Temp\B86D.exe

C:\Users\Admin\AppData\Local\Temp\B86D.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\C5F5.exe

C:\Users\Admin\AppData\Local\Temp\C5F5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp

"C:\Users\Admin\AppData\Local\Temp\is-96HVN.tmp\is-50B11.tmp" /SL4 $B0246 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231002080841.log C:\Windows\Logs\CBS\CbsPersist_20231002080841.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {B765AFBF-78D2-486A-BC33-22ABAC493839} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "757513135-467133090219380648-1275452243703202852-193092879816697062561684226955"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\gfrrbue

C:\Users\Admin\AppData\Roaming\gfrrbue

C:\Users\Admin\AppData\Roaming\gerrbue

C:\Users\Admin\AppData\Roaming\gerrbue

C:\Users\Admin\AppData\Roaming\gerrbue

C:\Users\Admin\AppData\Roaming\gerrbue

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.80:80 apps.identrust.com tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
DE 148.251.234.93:443 iplogger.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
DE 148.251.234.93:443 iplogger.com tcp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
DE 148.251.234.93:443 iplogger.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 68b0b351-9c76-4891-ac4e-242110872b8a.uuid.ramboclub.net udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server11.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
BG 185.82.216.48:443 server11.ramboclub.net tcp
US 142.251.125.127:19302 stun1.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2596-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2596-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1280-5-0x0000000003830000-0x0000000003846000-memory.dmp

memory/2596-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BB3.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\9BB3.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\9BB3.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\9EF0.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\9EF0.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\9CDC.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

\Users\Admin\AppData\Local\Temp\A103.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\A577.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\A577.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\A6EE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A6EE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A6EE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1592-153-0x0000000001240000-0x000000000124A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\CabAAA3.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1592-188-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\TarAF38.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ef15463e0a62dbe24db7d3dc9e06874a
SHA1 53384a309c018c7a9dd56eab7b486ac07b75c83d
SHA256 7657572bcc30b9efcf71261b752ed95e1b61c244da5285b37a7eae17de6f6aea
SHA512 d40b792c61337d794c422911e7c83e55d1f2887748da7ac94f669953c654eb69befe7661184a0c758656eb754b09a6c104eb03ed4f5d6fae2f65051e4e1bbbf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2399df65c6758690d610e633fdf69950
SHA1 80dc02bdd8d7280b62a215865ddf7d00a320dc18
SHA256 1608c241dd4b739d3de1215d9e8eb7487f51c2e0557ab7d7699a73bd20d09295
SHA512 ccf03b50a507807b2d91f5fcb454af9cbbdf58e3851a2e216531182a14e8467e4a875d3f4f4dfa1a70928b43eeac2fb591014e9658273802f86e235be48761d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5107681c2b06eeca55b7aedbc74e2be4
SHA1 b167d03c92ae312f7b7d3b82dff9762251fa66af
SHA256 3cef14ff0529b3ef6fc60ff7e6ece4868eee8f11768d50fb1a94793db235668e
SHA512 9a0be4b6bf535c4049912ca1e30b19f1253beedf31e5c4eab13667a25e377de3f2b5bec0fde0f860d5bd7c592bb1725998decf3bbaee9aec499e01b7df4ca200

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 545c3e123f300fb2b48301a5c4a40851
SHA1 b63e30e69a8c4c03b8475ae638782fcfc6edc0b3
SHA256 3204c9325b2e5994c3bf79310786fe970e89c35a214a843d2d399a55d97c270c
SHA512 590404de4656fa2a9285251a2aaf5e269f29284c8e3f6e5e26d4d525c2c4b7a6dbd3f719a77e76ee7549e47260eb6083aba16077bcb7c26a13d60475b3fb0ec0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 b7ccb05f174692b8ed209201a594dcef
SHA1 5a69dfc338b7f0fdcb281257e84373bf443cbdb5
SHA256 6104ab2c99a43323f9d327441ca664f88539ea5648fb16e48cf8172f6aef49cc
SHA512 1a229847b6658f5ae5bf828ef56e694712a8f2ecc54377c6ab06b6c551936b3eb0115f865b3cddf6769b240af382d25c6a895e705d421c3fae9d611851b66beb

C:\Users\Admin\AppData\Local\Temp\B86D.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1696-382-0x00000000FF640000-0x00000000FF6AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

MD5 d922afa12df6c22de24f6761a255dc01
SHA1 3c026a23b14ee75366e8babdf25e9dc24fadfb06
SHA256 210abd2aba593e85118f7ab0e55b20a748592a2033a5442c3a18c709e8465797
SHA512 8d0ecbfde4fa14d0425649d4a6c8d1b3d28fb131a2a92e41b2754612d99980f3707683c58b697efc2084b91fcaf87257f8d606dd5d009735ffdfbf822f21978c

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/1768-404-0x0000000004310000-0x0000000004708000-memory.dmp

memory/2992-406-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2992-405-0x0000000002730000-0x0000000002830000-memory.dmp

memory/1768-407-0x0000000004310000-0x0000000004708000-memory.dmp

memory/1992-408-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1768-410-0x0000000004710000-0x0000000004FFB000-memory.dmp

memory/1992-413-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1992-414-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1992-415-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1768-416-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_B24336BD3AC2EB6EADC73CE87A98438A

MD5 efd291522f22b6ccd2b799dbd1837c10
SHA1 ab13ab5515d9b341055583d3c34ae0f9b64fef25
SHA256 d192ecbc55f8d481d89b107e2aae54a6e70422a9f0780e226457b1815dc882e3
SHA512 47d7845bf58ce99951b5ad460a3e52f80a5288dee61caf6ad2dfe3cf877b612432dddf097d5587503e3a2c42cb58b646f29f5f12bdb653fb0559f031cde92cc9

memory/912-429-0x0000000001080000-0x00000000011F4000-memory.dmp

memory/912-444-0x00000000705E0000-0x0000000070CCE000-memory.dmp

memory/1592-452-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/2684-453-0x00000000010F0000-0x00000000012AD000-memory.dmp

memory/2684-504-0x00000000010F0000-0x00000000012AD000-memory.dmp

memory/1376-515-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1376-513-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1376-525-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1440-523-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1376-530-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1376-532-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1352-543-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

memory/2684-533-0x00000000010F0000-0x00000000012AD000-memory.dmp

memory/1376-544-0x00000000705E0000-0x0000000070CCE000-memory.dmp

memory/1352-547-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1768-555-0x0000000004710000-0x0000000004FFB000-memory.dmp

memory/912-572-0x00000000705E0000-0x0000000070CCE000-memory.dmp

memory/1376-573-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/1280-605-0x0000000003A80000-0x0000000003A96000-memory.dmp

memory/1992-606-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1f21df83becec1dc994d059fb5a3046
SHA1 5eb3b16cedfe74125f65dbe3571665662fb71a87
SHA256 f125a8a338c546dfcb527ed82834409e1ae12001af4a5554f9a6eaf42375b9b1
SHA512 abefd31af651a748557e47ba1fd34a200b639b17098e6653e0e1901f45d6f24699f9853bdd2bcf798c484962e1936d6536ee90b94b8c10cfea9bc00176f702d3

memory/1844-588-0x0000000003770000-0x0000000003961000-memory.dmp

memory/1584-617-0x0000000000D20000-0x0000000000F11000-memory.dmp

memory/1584-626-0x0000000000D20000-0x0000000000F11000-memory.dmp

memory/1584-630-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1768-633-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af865e38d5a8b1a85052229d1909b56a
SHA1 d32dbf50f152e08bb0894d2177fafc76290fa034
SHA256 498a377815187d6a2b0fc885a468a2d4e8bfdbebd36269235d5eccc659626aeb
SHA512 ee59a7a7a97c1889f3ff25dfeeaaf58a5b83ca6731a0f3b397320a1161cc4368795532f750bac911a316350ccb956345278805ea1fa87df8f6a4c410d796638f

memory/1768-652-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1592-682-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

memory/1352-683-0x0000000001FA0000-0x0000000002020000-memory.dmp

memory/1584-684-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1440-688-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1584-706-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1376-709-0x00000000705E0000-0x0000000070CCE000-memory.dmp

memory/1352-718-0x000007FEF5680000-0x000007FEF606C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca6c02c14daf72c418dc6a098af04cd
SHA1 3fa07699a98774a23c70dce7b154bca27d515789
SHA256 1fb847528d6c45840e5e7f5b35a78290bc0757c107ada5b187a1187a978ee439
SHA512 f89c9223a3f754790cfc4e2754e715da432d7c1b1b635a9fa27117f00afefb78c52b97fbd7015ee2ec2690c65be4eaa99c2aba6a71ed5fd59c5a2bfd58fe0414

memory/1696-727-0x00000000036D0000-0x0000000003841000-memory.dmp

memory/1696-728-0x0000000003850000-0x0000000003981000-memory.dmp

memory/1844-730-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1844-733-0x0000000003770000-0x0000000003961000-memory.dmp

memory/1844-734-0x0000000003770000-0x0000000003961000-memory.dmp

memory/2448-735-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2448-736-0x0000000000F30000-0x0000000001121000-memory.dmp

memory/2448-737-0x0000000000F30000-0x0000000001121000-memory.dmp

memory/2448-741-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88d851fc3b2e9c7831067e44dfda9618
SHA1 8ac3ba592b8d57c8cbbb18ef1a5c3229c76f7b67
SHA256 682c930385af0c9a6d0d7933184e7fdd2a05e6daeca78278f9563633a6bda487
SHA512 63c455886f3f5d51fed126786eaab51bf4c6fcf0b14404aab6de3b14c41b14bd3a9dae13174c16b6bc1848e6aac04754e61d9f93fa0a7a4a1ad06bee2d3a32b4

memory/1768-760-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bdc8203576d0b0434b1605d1e510b15
SHA1 23b618c38fe2910fb565f78cfd226c478b87bc76
SHA256 7033f65ea74ff51ff77ebd212d6c888d76d8e86f90a6ecb3a205b60afccd66b1
SHA512 5dd206b94af8dac593adb78cec233bdc8e7ad25bd71120bd3021b2d8586e0fdafd19cd8e15d86f6987db28d11f5f284985c92e43c3183f1023dab2b663e5d3e7

memory/1376-834-0x0000000001160000-0x00000000011A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 778df6342a0e7e9464b666bfbab04211
SHA1 a6c0a175078c9b1ac08bede852770755ee367665
SHA256 e9d6bacc84ff4e05c2324760d628cd591cd22cba398e279296675dc69b6d0dc7
SHA512 e4acba2145eccc355000ec0be4986726581f78d3e4bd4de07f1d811ea0270abd9ff7c23a5d9d42041d517d4004d62c9759f03b9536c2eb256d4b88fb20fea87b

memory/1352-851-0x0000000001FA0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24002bb8a21b4dd7c71fd02b7d1d50ac
SHA1 e1719036535f48e7c513591390cb0fe1b28236ae
SHA256 f3bf612530627050841fd409d5a5f8ec7278c5f52fe30a3d88e44f1ca9cd7edb
SHA512 466fb11dca0ea9a11338e7ba7f521dbfc4ab56db6adba967c592aecd7874f143b1e9e50c6dddb195d4dda30941dad7689444ae2db263dba83eebd6812180983c

memory/1696-1056-0x0000000003850000-0x0000000003981000-memory.dmp

memory/2752-1055-0x0000000004300000-0x00000000046F8000-memory.dmp

memory/2752-1058-0x0000000004300000-0x00000000046F8000-memory.dmp

memory/2752-1059-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1768-1057-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2752-1068-0x0000000000400000-0x000000000298D000-memory.dmp

memory/888-1069-0x0000000004330000-0x0000000004728000-memory.dmp

memory/888-1070-0x0000000004330000-0x0000000004728000-memory.dmp

memory/1376-1071-0x0000000001160000-0x00000000011A0000-memory.dmp

memory/888-1072-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1844-1074-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2556-1079-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2556-1091-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/888-1102-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e0758e3b3ea1c127208a451c285da508
SHA1 23efd3ddb50a9fcdc885b829a39328e076e74e7e
SHA256 87129291af7ffbced67c16e5085aaae7f71e05bf6f83e67eb0344ec3e56b44ff
SHA512 8cb8ac1fd86edcaa7ec2d27379af2de13b324a9bcb12fc4fb84576975fbd0da93ede8dbe0c1c1500fd9592d1908b7bf3d59672c44f38b0ada6d31d1945201b97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/888-1154-0x0000000004330000-0x0000000004728000-memory.dmp

memory/2448-1156-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/888-1157-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/888-1173-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1376-1174-0x00000000705E0000-0x0000000070CCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

memory/2448-1178-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/888-1231-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2448-1233-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/888-1235-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2448-1247-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/888-1250-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2448-1259-0x00000000029A0000-0x00000000029E9000-memory.dmp

memory/1720-1268-0x0000000002640000-0x0000000002740000-memory.dmp

memory/2536-1269-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2536-1276-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2448-1279-0x00000000029A0000-0x00000000029E9000-memory.dmp

memory/1720-1280-0x0000000002640000-0x0000000002740000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 08:07

Reported

2023-10-02 08:10

Platform

win10v2004-20230915-en

Max time kernel

90s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2953.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\204A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E83.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\204A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\358A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\19AD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-PRUMB.tmp C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-BMO3M.tmp C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-1SLUI.tmp C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-SQCU9.tmp C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1EF1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2500 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe
PID 2500 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe
PID 2500 wrote to memory of 5092 N/A N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe
PID 2500 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe
PID 2500 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe
PID 2500 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe
PID 5092 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 5092 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 5092 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\19AD.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 3308 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3308 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3308 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 3380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 3380 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 2500 wrote to memory of 4352 N/A N/A C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 4352 N/A N/A C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2192 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2192 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 5028 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 5028 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 5028 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 2500 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E83.exe
PID 2500 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E83.exe
PID 2500 wrote to memory of 4876 N/A N/A C:\Users\Admin\AppData\Local\Temp\1E83.exe
PID 2500 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EF1.exe
PID 2500 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\Temp\1EF1.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2500 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\204A.exe
PID 2500 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\204A.exe
PID 2500 wrote to memory of 4340 N/A N/A C:\Users\Admin\AppData\Local\Temp\204A.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2740 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1A6A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5028 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
PID 5028 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
PID 5028 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
PID 2192 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
PID 2192 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
PID 2192 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
PID 4340 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\204A.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4340 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\204A.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe

"C:\Users\Admin\AppData\Local\Temp\298501e26bfe53d37eef3db9e1d4f0f0.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2320 -ip 2320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 268

C:\Users\Admin\AppData\Local\Temp\19AD.exe

C:\Users\Admin\AppData\Local\Temp\19AD.exe

C:\Users\Admin\AppData\Local\Temp\1A6A.exe

C:\Users\Admin\AppData\Local\Temp\1A6A.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D0B.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\1E83.exe

C:\Users\Admin\AppData\Local\Temp\1E83.exe

C:\Users\Admin\AppData\Local\Temp\1EF1.exe

C:\Users\Admin\AppData\Local\Temp\1EF1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\204A.exe

C:\Users\Admin\AppData\Local\Temp\204A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2740 -ip 2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 436

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4876 -ip 4876

C:\Users\Admin\AppData\Local\Temp\2953.exe

C:\Users\Admin\AppData\Local\Temp\2953.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 156

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\2E07.exe

C:\Users\Admin\AppData\Local\Temp\2E07.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\358A.exe

C:\Users\Admin\AppData\Local\Temp\358A.exe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4644 -ip 4644

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp" /SL4 $110064 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7f9f46f8,0x7ffd7f9f4708,0x7ffd7f9f4718

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7f9f46f8,0x7ffd7f9f4708,0x7ffd7f9f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=358A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7f9f46f8,0x7ffd7f9f4708,0x7ffd7f9f4718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=358A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7f9f46f8,0x7ffd7f9f4708,0x7ffd7f9f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13737512204341226359,6590754558428984058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6844 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.6.160:443 learn.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 160.6.85.104.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
IE 63.34.77.44:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 44.77.34.63.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
US 2.18.121.71:443 mdec.nelreports.net tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 13.107.246.67:443 js.monitor.azure.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 e64a3255-a768-4f94-9382-d41995d655bd.uuid.ramboclub.net udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 109.166.67.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server14.ramboclub.net udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.48:443 server14.ramboclub.net tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/4924-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4924-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2500-2-0x0000000008410000-0x0000000008426000-memory.dmp

memory/4924-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19AD.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\19AD.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\1A6A.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\1A6A.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\1E83.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\1EF1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\1EF1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\1E83.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

memory/1412-66-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\204A.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1412-70-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\204A.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3084-67-0x00007FFD7E2C0000-0x00007FFD7ED81000-memory.dmp

memory/3084-62-0x0000000000D50000-0x0000000000D5A000-memory.dmp

memory/1412-73-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1412-74-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D0B.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

memory/1828-83-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

memory/1828-85-0x0000000072400000-0x0000000072BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2953.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

C:\Users\Admin\AppData\Local\Temp\2953.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

memory/1828-92-0x0000000007200000-0x0000000007292000-memory.dmp

memory/1828-88-0x0000000007710000-0x0000000007CB4000-memory.dmp

memory/1828-93-0x0000000007430000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/1828-105-0x00000000072E0000-0x00000000072EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E07.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/3000-118-0x00007FF7F6EB0000-0x00007FF7F6F1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/3776-138-0x0000000072400000-0x0000000072BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/4224-113-0x0000000000090000-0x000000000024D000-memory.dmp

memory/1828-144-0x00000000082E0000-0x00000000088F8000-memory.dmp

memory/2884-146-0x00000000028C0000-0x00000000029C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3084-158-0x00007FFD7E2C0000-0x00007FFD7ED81000-memory.dmp

memory/1828-159-0x0000000007570000-0x00000000075BC000-memory.dmp

memory/3776-160-0x0000000004E00000-0x0000000004E10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/1828-155-0x0000000007530000-0x000000000756C000-memory.dmp

memory/4528-163-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2296-162-0x0000000004630000-0x0000000004A38000-memory.dmp

memory/3648-161-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/4528-154-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\358A.exe

MD5 264d1eb69bcce00fdf11a6a39472dd0a
SHA1 e466c80da7f961743681b6dbdae3eaa0756a4dcd
SHA256 a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79
SHA512 f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1716-176-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4552-190-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3648-198-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/504-196-0x00000000006E0000-0x000000000073A000-memory.dmp

memory/3108-192-0x00000000001A0000-0x00000000001A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2296-172-0x0000000004B40000-0x000000000542B000-memory.dmp

memory/3648-153-0x0000000000BE0000-0x0000000000D54000-memory.dmp

memory/1828-152-0x00000000073C0000-0x00000000073D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2884-149-0x00000000026C0000-0x00000000026C9000-memory.dmp

memory/1828-148-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E07.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

C:\Users\Admin\AppData\Local\Temp\358A.exe

MD5 264d1eb69bcce00fdf11a6a39472dd0a
SHA1 e466c80da7f961743681b6dbdae3eaa0756a4dcd
SHA256 a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79
SHA512 f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

memory/2296-208-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-QG83L.tmp\is-ALLA8.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3108-210-0x0000000002370000-0x0000000002380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8N3FH.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/4552-232-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/4528-231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3108-239-0x00007FFD7E2C0000-0x00007FFD7ED81000-memory.dmp

memory/4552-251-0x0000000005170000-0x0000000005180000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/1828-255-0x0000000072400000-0x0000000072BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

MD5 e43ed2f89335b4323450cc5a8b743a12
SHA1 578aa2a3018d58c9162fe9fd4d30e65a352fe58e
SHA256 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214
SHA512 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

MD5 e43ed2f89335b4323450cc5a8b743a12
SHA1 578aa2a3018d58c9162fe9fd4d30e65a352fe58e
SHA256 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214
SHA512 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f

memory/2380-257-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2380-260-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4404-264-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/4404-265-0x00000000005D0000-0x000000000060E000-memory.dmp

memory/2380-267-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1828-261-0x0000000007430000-0x0000000007440000-memory.dmp

memory/4324-270-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4404-271-0x0000000007370000-0x0000000007380000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/632-240-0x0000000000610000-0x0000000000611000-memory.dmp

memory/3084-237-0x00007FFD7E2C0000-0x00007FFD7ED81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2500-230-0x0000000008EA0000-0x0000000008EB6000-memory.dmp

memory/504-228-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8N3FH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4224-224-0x0000000000090000-0x000000000024D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8N3FH.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/1716-211-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4552-209-0x0000000001100000-0x0000000001106000-memory.dmp

memory/2296-273-0x0000000000400000-0x000000000298D000-memory.dmp

memory/4324-279-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3776-280-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/632-284-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4552-285-0x0000000005660000-0x00000000056D6000-memory.dmp

memory/4552-286-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/3776-288-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/3000-289-0x0000000003550000-0x00000000036C1000-memory.dmp

memory/3000-295-0x00000000036D0000-0x0000000003801000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2296-296-0x0000000000400000-0x000000000298D000-memory.dmp

\??\pipe\LOCAL\crashpad_2992_WZUHGAOKXBWHKKFA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2296-308-0x0000000004630000-0x0000000004A38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f51cb455b3399a74e439698f1cadd780
SHA1 b88478cbef6a5c5242240bd8fcd121d92691cf88
SHA256 0238fcd1f5160db35bdf47e31a16ea2a2b48305856d371ef7c75d8bdbbb5ceb6
SHA512 64a9989f788100abc40b3ee2327854cf834ccdb7a3e9a12146d79868a29f96437d15edbd7445f6ffc11fd022dad31080cd55685e86686fb1c05bddce62e94729

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/504-329-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4552-331-0x0000000072400000-0x0000000072BB0000-memory.dmp

memory/4552-328-0x00000000067B0000-0x0000000006972000-memory.dmp

memory/3108-327-0x0000000002370000-0x0000000002380000-memory.dmp

memory/4552-335-0x0000000007B30000-0x000000000805C000-memory.dmp

memory/3108-336-0x00007FFD7E2C0000-0x00007FFD7ED81000-memory.dmp

memory/4552-337-0x0000000005170000-0x0000000005180000-memory.dmp

memory/4552-352-0x0000000006980000-0x00000000069D0000-memory.dmp

memory/4324-357-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 03c68607b65374312a8bdc3cee7874b4
SHA1 b476c73aa9c4dcab29446f1b1d06999b8afd8ee5
SHA256 d6e204ce71da6f1b1c0c728dc29f03079874df7bb02c7d40e0a306225198c202
SHA512 d6a741d68cb261e3f691225caddf499d45a47ec3e67abbfec5a7a4b9dbf7834ac7b24fbf9ecd1c14323477831bda287d299d511dab29c541f5ab78a1a99834b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7fcdbdfc80c98d9e9abf3019a4bb74a4
SHA1 699080161bbd7b41db0f1e9dfb849f34161b61fe
SHA256 834e0512dbbfcaec601fe4044bcccf21e557ba4b1c7d5e49ba4450d77bcf82ce
SHA512 987a901894c2099226562409efb6f6a24f4d96e7bd785254e9c615b2c8a5ae684709479ead6baf487ec8fd99d17f4c0b3603e8610c570ab98259236f26893b78

memory/2296-366-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_un2j5yee.cm1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4324-475-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2296-472-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 34c4f15f6734656b5d4bd27bd26d1a3e
SHA1 5f6249a4af4434755a1da2ad7b58302fd3ff8f1e
SHA256 35c87d6cddd4253492371ad6e4f18621e8e3977ef6357c3cf813c8b715931eda
SHA512 fc5e250293587425a9f6edbdab4bd5d92bc2b98956a95491ab3c04d0dfe6916d20d277954110a8a30d8beaccade9cc51991a43e8f111a4824ed439acab354b4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 df20a2c6cc779d3359899d42df0c8470
SHA1 e19345e7a7046011a6ffbe295e9a63deb9e82fa2
SHA256 821d01221867d2fb31fb058175eba03cb2816eb4be150f61aff3594338fa2328
SHA512 88fe6a7f7ec43d09883f2978f037257a615afb957f5ab25df5f3135158d65087ef0cf68555f3d6f11eb7e57ca551b341b5696dc41d8b5554ebc22203a92bf1aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58df8d.TMP

MD5 365536198a97b60abe5f1a6425e0e7da
SHA1 f8a2169c89290248af8d513767c1fdf4837b5357
SHA256 c01bd2abaffb88bfee2da96eb67c1f26d0e2e7397c86427f75107a18a30fe49c
SHA512 db008ef2eec0bbbdd992068bea315ed2d696f49a2d77dbf8ac7d0c8a06b6a1f1b35e3edbd8999eff7270c90e75dde04f145f2e82b25e327810a23f3484f36455

memory/4324-609-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2296-623-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9bf7459440ed85956cc801abfdd0ad48
SHA1 ed0815a4c8d2490468ced416dbf0e364aa71b3fe
SHA256 ea22ee6bb3511946498824b57ce35c3b5b9b41c11866d5789579c350b6694455
SHA512 ba5a26237446c1959593a888fdaf5166f0c3f4e6c71720dacffdc748b52f9837d7e38ff1b05a57f487a7fef467f5cd01f6a6496d4d4cc98fc40d5d9b4105c735

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fcc47926fc808eb9c4b677d205e85e02
SHA1 4e0dd9d10508cd3b15b58fdf280e3dfb70382459
SHA256 014b837c0db8acad8aede183786e2c03b150edf5389e99f98e08f539884cda92
SHA512 2c4b756dca8937842003107239459173d4560a3dfb533618e8a2c21f98b708aeef79d2d1d7d4e0f932349c528736c8b53137053198b84da444b43fd99afd2243

memory/4224-679-0x0000000000400000-0x000000000298D000-memory.dmp

memory/4324-692-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4224-741-0x0000000000400000-0x000000000298D000-memory.dmp

memory/4324-755-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cffe3b6f60052e99ab84e4f9d4f8e4c2
SHA1 e02e585624cab1ab5a86e241c51a9df99b168209
SHA256 d75c1887cebbffae8944fd85157058147ef002c683d0e66a4223eeff3cb40305
SHA512 b1bb62ba245d1b6470ec228a86397634a1951f45f7d998c185150e610ed203b6c90384ede4ae9014286e3eb1afba57d9b645ed3b678b62be1b5b556ef7bfff8d

memory/4340-806-0x0000000000400000-0x000000000298D000-memory.dmp

memory/4324-822-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fc481a41126f5cd49c3ef80ac3cf16b9
SHA1 f7112b2c80004ee74eb5b817d30ed6e75e551d88
SHA256 b844a47de80eb01c8f42581c55ba583596f7483444b58951d63bb91a06b3ac35
SHA512 741e3c784d8e4f29136e243cb1ba600795f822f6aee9f8926e0d88b86f963eef163e8bd84de6922bc87851737d0d5dfdca96606fccd109e5524acc210ff1f4ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b559d40ec1a446d1194b6b60ea25a56d
SHA1 f7f8070a1ee4dad67dc30678aa3da54675e69526
SHA256 1cc2113fbb3845d291ac5970c81bc448a99f425721dbed079b38b6f1bb59a43d
SHA512 e80d00dc3fe315da7903ebcfd93424fd8188d4492df8015f122b2eedd59f7f2786c29ba68cbc806e9ea9b95dc001074883d991b8c67cc6bedf7d18c937b3a9df