Malware Analysis Report

2025-01-23 11:33

Sample ID 231010-1fep3aee49
Target 7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b
SHA256 7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b

Threat Level: Known bad

The file 7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lutyr magia

RedLine payload

Amadey

SmokeLoader

DcRat

Detects Healer an antivirus disabler dropper

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security bypass

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

SectopRAT payload

SectopRAT

Healer

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:35

Reported

2023-10-10 23:05

Platform

win7-20230831-en

Max time kernel

158s

Max time network

193s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\583E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\59E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CB3.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5F62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B1E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BCB3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\583E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\583E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9054.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\583E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010230408.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62CD.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C26E.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2312 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 2312 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 2312 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 2312 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 1200 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\583E.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2544 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\583E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 1200 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\59E4.exe
PID 1200 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\59E4.exe
PID 1200 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\59E4.exe
PID 1200 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\59E4.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2524 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2588 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\59E4.exe C:\Windows\SysWOW64\WerFault.exe
PID 2588 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\59E4.exe C:\Windows\SysWOW64\WerFault.exe
PID 2588 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\59E4.exe C:\Windows\SysWOW64\WerFault.exe
PID 2588 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\59E4.exe C:\Windows\SysWOW64\WerFault.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3036 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 1200 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5CB3.bat
PID 1200 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5CB3.bat
PID 1200 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5CB3.bat
PID 1200 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5CB3.bat
PID 2700 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2700 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2700 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe

"C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 76

C:\Users\Admin\AppData\Local\Temp\583E.exe

C:\Users\Admin\AppData\Local\Temp\583E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\59E4.exe

C:\Users\Admin\AppData\Local\Temp\59E4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\5CB3.bat

"C:\Users\Admin\AppData\Local\Temp\5CB3.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E08.tmp\5E18.tmp\5E19.bat C:\Users\Admin\AppData\Local\Temp\5CB3.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\5F62.exe

C:\Users\Admin\AppData\Local\Temp\5F62.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 132

C:\Users\Admin\AppData\Local\Temp\62CD.exe

C:\Users\Admin\AppData\Local\Temp\62CD.exe

C:\Users\Admin\AppData\Local\Temp\6434.exe

C:\Users\Admin\AppData\Local\Temp\6434.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\9054.exe

C:\Users\Admin\AppData\Local\Temp\9054.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\B1E8.exe

C:\Users\Admin\AppData\Local\Temp\B1E8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 528

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\BCB3.exe

C:\Users\Admin\AppData\Local\Temp\BCB3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 508

C:\Users\Admin\AppData\Local\Temp\C26E.exe

C:\Users\Admin\AppData\Local\Temp\C26E.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {24FA074E-ED59-4A2B-925E-F964B28B86B2} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010230408.log C:\Windows\Logs\CBS\CbsPersist_20231010230408.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {18FF891A-6060-425A-B679-EEC9A4D13FFF} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 61da4ccf-03ee-452c-9f98-ff5ae8fd92ea.uuid.cdntokiog.studio udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

memory/2616-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2616-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2616-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2616-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2616-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2616-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-5-0x0000000002A10000-0x0000000002A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\583E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\583E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\583E.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\59E4.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\59E4.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\59E4.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\59E4.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\59E4.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\5CB3.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\5CB3.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\5E08.tmp\5E18.tmp\5E19.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\5F62.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\62CD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\5F62.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\5F62.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\5F62.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\62CD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\5F62.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\6434.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\6434.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1300-123-0x00000000012A0000-0x00000000012AA000-memory.dmp

memory/1300-124-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9054.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\9054.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1300-130-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

memory/1788-131-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1788-132-0x00000000003A0000-0x00000000012CA000-memory.dmp

memory/1300-133-0x000007FEF4F80000-0x000007FEF596C000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1932-157-0x00000000023C0000-0x00000000024C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1712-160-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1712-171-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1920-170-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1712-167-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1920-166-0x0000000000090000-0x00000000005A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1932-162-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2264-172-0x0000000003F80000-0x0000000004378000-memory.dmp

memory/2264-173-0x0000000003F80000-0x0000000004378000-memory.dmp

memory/2264-174-0x0000000004380000-0x0000000004C6B000-memory.dmp

memory/1712-178-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-177-0x0000000003A30000-0x0000000003A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1E8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\B1E8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1788-188-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2220-189-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2264-190-0x0000000000400000-0x000000000266D000-memory.dmp

\Users\Admin\AppData\Local\Temp\B1E8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

\Users\Admin\AppData\Local\Temp\B1E8.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1788-195-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1920-196-0x0000000004B10000-0x0000000004B50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCB3.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2784-202-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2784-204-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2784-207-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2264-208-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1920-210-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2264-211-0x0000000003F80000-0x0000000004378000-memory.dmp

memory/2264-214-0x0000000004380000-0x0000000004C6B000-memory.dmp

memory/2760-217-0x000000013F980000-0x000000013FF21000-memory.dmp

memory/2264-221-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1920-222-0x0000000004B10000-0x0000000004B50000-memory.dmp

memory/2784-226-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1696-227-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1920-229-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/1696-230-0x0000000000DD0000-0x0000000000DEE000-memory.dmp

memory/1696-231-0x0000000000510000-0x0000000000550000-memory.dmp

memory/1696-234-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2264-235-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1452-236-0x0000000004020000-0x0000000004418000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1452-243-0x0000000004020000-0x0000000004418000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1452-245-0x0000000004420000-0x0000000004D0B000-memory.dmp

memory/1452-255-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1924-257-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/1924-256-0x000000001B150000-0x000000001B432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3DAE.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1924-274-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

memory/1924-275-0x00000000027F0000-0x0000000002870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar3F85.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1924-284-0x000007FEF4630000-0x000007FEF4FCD000-memory.dmp

memory/1924-286-0x00000000027F4000-0x00000000027F7000-memory.dmp

memory/1924-287-0x00000000027FB000-0x0000000002862000-memory.dmp

memory/1452-293-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1696-309-0x0000000000510000-0x0000000000550000-memory.dmp

memory/1452-307-0x0000000004020000-0x0000000004418000-memory.dmp

memory/1824-310-0x00000000040D0000-0x00000000044C8000-memory.dmp

memory/1824-311-0x00000000040D0000-0x00000000044C8000-memory.dmp

memory/2760-314-0x000000013F980000-0x000000013FF21000-memory.dmp

memory/1824-315-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1824-316-0x00000000040D0000-0x00000000044C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCQIEC4C15YUFSS9M3FP.temp

MD5 8205b70b053f1c926dd4b92cced9a0a9
SHA1 d2f6cfb62344ec2032d78a38e791bac538537ae1
SHA256 acf6b5b49c4eac3acf689821b44dc034bef69f87ab23f88d6866662665d76f31
SHA512 5247ac9b312b80f2134d962aa4cabfcc0ab0fceed20acaab93f6b4524841d7f4a2d125abbd4766d8ab6c20b16e02c02f22069010ceeff2a8db94e2f10d610597

memory/2860-328-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/2860-329-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/1824-330-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2860-331-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-332-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

memory/2860-333-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-334-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-335-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

memory/2860-336-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/1824-340-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2860-341-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-342-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

memory/2860-343-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-344-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2860-348-0x0000000002660000-0x00000000026E0000-memory.dmp

memory/2760-351-0x000000013F980000-0x000000013FF21000-memory.dmp

memory/2860-352-0x000007FEF4FD0000-0x000007FEF596D000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1752-388-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1920-387-0x0000000002320000-0x000000000233C000-memory.dmp

memory/1920-391-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-392-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-395-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-399-0x0000000002320000-0x0000000002335000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1920-406-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1752-408-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1920-409-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-411-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-413-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-415-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-417-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-419-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-421-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-423-0x0000000002320000-0x0000000002335000-memory.dmp

memory/1920-424-0x0000000002340000-0x0000000002341000-memory.dmp

memory/2584-425-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA42.tmp

MD5 ffb3fe1240662078b37c24fb150a0b08
SHA1 c3bd03fbef4292f607e4434cdf2003b4043a2771
SHA256 580dc431acaa3e464c04ffdc1182a0c8498ac28275acb5a823ede8665a3cb614
SHA512 6f881a017120920a1dff8080ca477254930964682fc8dc32ab18d7f6b0318d904770ecc3f78fafc6741ef1e19296f5b0e8f8f7ab66a2d8ed2eb22a5efacaeda5

C:\Users\Admin\AppData\Local\Temp\tmpDA2D.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 21:35

Reported

2023-10-10 23:05

Platform

win10v2004-20230915-en

Max time kernel

191s

Max time network

200s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C12A.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C61F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F33B.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\AE4C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C40B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2576 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe
PID 2576 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe
PID 2576 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe
PID 2576 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe
PID 2576 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe
PID 2576 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe
PID 2576 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12A.bat
PID 2576 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12A.bat
PID 2576 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\C12A.bat
PID 1988 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 1988 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 1988 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\AE4C.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 1908 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 1908 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 1908 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2576 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C310.exe
PID 2576 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C310.exe
PID 2576 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\Temp\C310.exe
PID 4448 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 4448 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 4448 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 2576 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\C40B.exe
PID 2576 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\Temp\C40B.exe
PID 3040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\C12A.bat C:\Windows\system32\cmd.exe
PID 3040 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\C12A.bat C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1928 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\BAC1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2576 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C61F.exe
PID 2576 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C61F.exe
PID 2576 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C61F.exe
PID 2824 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2824 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2824 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2836 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\C310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe

"C:\Users\Admin\AppData\Local\Temp\7779cf2fa7f32c5d5f645f90b1194d48d7c6f11f711ead2d59ae1d1957d06a3b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 156

C:\Users\Admin\AppData\Local\Temp\AE4C.exe

C:\Users\Admin\AppData\Local\Temp\AE4C.exe

C:\Users\Admin\AppData\Local\Temp\BAC1.exe

C:\Users\Admin\AppData\Local\Temp\BAC1.exe

C:\Users\Admin\AppData\Local\Temp\C12A.bat

"C:\Users\Admin\AppData\Local\Temp\C12A.bat"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\C310.exe

C:\Users\Admin\AppData\Local\Temp\C310.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\C40B.exe

C:\Users\Admin\AppData\Local\Temp\C40B.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C213.tmp\C214.tmp\C215.bat C:\Users\Admin\AppData\Local\Temp\C12A.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1928 -ip 1928

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\C61F.exe

C:\Users\Admin\AppData\Local\Temp\C61F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2836 -ip 2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4372 -ip 4372

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\F33B.exe

C:\Users\Admin\AppData\Local\Temp\F33B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4004.exe

C:\Users\Admin\AppData\Local\Temp\4004.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffad6fc46f8,0x7ffad6fc4708,0x7ffad6fc4718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\443B.exe

C:\Users\Admin\AppData\Local\Temp\443B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffad6fc46f8,0x7ffad6fc4708,0x7ffad6fc4718

C:\Users\Admin\AppData\Local\Temp\5E6B.exe

C:\Users\Admin\AppData\Local\Temp\5E6B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11820545881835293483,7720512838839585350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11820545881835293483,7720512838839585350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,871933871437093272,5048306249323460145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

memory/2332-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2332-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2332-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2576-2-0x0000000002FF0000-0x0000000003006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE4C.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\AE4C.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\BAC1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\BAC1.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\C12A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\C12A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\C12A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\C310.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\C310.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

memory/2496-54-0x0000000000C10000-0x0000000000C1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C40B.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\C40B.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

memory/2496-57-0x00007FFAD4D10000-0x00007FFAD57D1000-memory.dmp

memory/3800-58-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-61-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3800-62-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\C61F.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\C61F.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

memory/2840-75-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C213.tmp\C214.tmp\C215.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/4744-82-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4744-81-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4744-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2840-84-0x00000000726C0000-0x0000000072E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2840-93-0x0000000007F30000-0x00000000084D4000-memory.dmp

memory/3800-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2840-95-0x0000000007A60000-0x0000000007AF2000-memory.dmp

memory/2496-96-0x00007FFAD4D10000-0x00007FFAD57D1000-memory.dmp

memory/2840-97-0x00000000079D0000-0x00000000079E0000-memory.dmp

memory/2840-98-0x0000000007C00000-0x0000000007C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/4612-103-0x0000000000DC0000-0x0000000000DFE000-memory.dmp

memory/4612-104-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/4612-105-0x0000000007DB0000-0x0000000007DC0000-memory.dmp

memory/2496-107-0x00007FFAD4D10000-0x00007FFAD57D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F33B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\F33B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4480-111-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/4480-112-0x0000000000E80000-0x0000000001DAA000-memory.dmp

memory/2840-113-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/2840-114-0x00000000079D0000-0x00000000079E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4004.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4612-118-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/4612-119-0x0000000007DB0000-0x0000000007DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4004.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4480-122-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/372-123-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\443B.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/372-124-0x00000000007D0000-0x000000000082A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\443B.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/372-131-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/372-132-0x00000000075F0000-0x0000000007600000-memory.dmp

memory/3528-135-0x00000000001D0000-0x00000000001EE000-memory.dmp

memory/3528-134-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3528-139-0x00000000726C0000-0x0000000072E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

C:\Users\Admin\AppData\Local\Temp\5E6B.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\5E6B.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/3044-146-0x00000000726C0000-0x0000000072E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/372-155-0x0000000000400000-0x000000000046F000-memory.dmp

\??\pipe\LOCAL\crashpad_4872_CIEXJMPNZHPCAOKZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3044-167-0x0000000000C80000-0x0000000000C9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/372-169-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/372-170-0x00000000075F0000-0x0000000007600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/3528-184-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/3044-187-0x00000000726C0000-0x0000000072E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 450d9064ac7999de2e9bac1c9305dd06
SHA1 89d92c7f2f6310c19bed654cd71fa3630928e98f
SHA256 72e389260c7abe36a9559603257372e328288770e9a682f077c82e03f5d2279a
SHA512 53841f99d7ff6967152e8a739e25f6b0757e80b8cf9b77eda4c67a3e2e2b0a7b9cb9f2970c2ff2136e06aa9045b523d046b1b63705556523de849d918c03eab4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/3356-200-0x00000000022D0000-0x00000000023D0000-memory.dmp

memory/3356-201-0x0000000003E90000-0x0000000003E99000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e9b9566f2dcdb80843e46fa560668c02
SHA1 12b80397264d52d36ddab9cc7cc8d8ffecf2b2f6
SHA256 1141b2943bf17fdafbc2cb045673b3b4f2bf1909f54d3f3a249307f2805387cc
SHA512 19019dd57455f9c90e6fb8a14700318d97eaf85b479f87809b996b9af9a801bd13e2eecc8436c17d81e0613662a08c62daf0b2c03d955de2c98a90e20884b4fe

memory/392-216-0x00000000041C0000-0x00000000045BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/392-220-0x00000000046C0000-0x0000000004FAB000-memory.dmp

memory/3260-217-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3260-221-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/3260-231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2576-230-0x0000000003070000-0x0000000003086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f3210050a4589af07edbad78781e214
SHA1 45e55d60886a6dac3c1fba2d972d8d38ac45b541
SHA256 3a126243f9184d21e03173831a8c4d8793a194e8cf796c3ba08d4bb3177d8bb8
SHA512 1987a1d18bc814d058b6df6f16f949844075bbe4356152555187f0119fecc1de5003a50750a8e283c222e58d297b28f5f17a36b3b2c2a7b537e4f26f93a6cbb6

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5088-279-0x0000000000F90000-0x00000000014A6000-memory.dmp

memory/392-280-0x0000000000400000-0x000000000266D000-memory.dmp

memory/392-281-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f3210050a4589af07edbad78781e214
SHA1 45e55d60886a6dac3c1fba2d972d8d38ac45b541
SHA256 3a126243f9184d21e03173831a8c4d8793a194e8cf796c3ba08d4bb3177d8bb8
SHA512 1987a1d18bc814d058b6df6f16f949844075bbe4356152555187f0119fecc1de5003a50750a8e283c222e58d297b28f5f17a36b3b2c2a7b537e4f26f93a6cbb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 badfd6668b9f6d328db9b530219714d4
SHA1 00d76d56421dc4caf1ac5ec94ce7dc57329503df
SHA256 f071735a0ae2ff589106bcbd968ebff2b3cf065ac1a76241a9eb1d382a02c839
SHA512 ac3bd18eb96f4b73e6a857ca2b00e30c0519928d252404563fdaef3709d3bd1609c783445bbca65b1de6275a316690605c69d408d36378a4ce6f815cf5d62f4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 badfd6668b9f6d328db9b530219714d4
SHA1 00d76d56421dc4caf1ac5ec94ce7dc57329503df
SHA256 f071735a0ae2ff589106bcbd968ebff2b3cf065ac1a76241a9eb1d382a02c839
SHA512 ac3bd18eb96f4b73e6a857ca2b00e30c0519928d252404563fdaef3709d3bd1609c783445bbca65b1de6275a316690605c69d408d36378a4ce6f815cf5d62f4c

memory/5088-302-0x00000000726C0000-0x0000000072E70000-memory.dmp

memory/3528-303-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/372-304-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/4612-305-0x00000000087D0000-0x00000000088DA000-memory.dmp

memory/392-308-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 355ba9445e25a1d846087ab762e25522
SHA1 e3e5740bf1d77cfbb1f3b17da481f64d4676f9a1
SHA256 cd5cbde62351dd82392cbdbe7a893d042f738595f4acec880229e52e39437b4b
SHA512 70842884e65ff8f88e6fd0df49a9f19b5fde3469f678eb7e4128f765f58982b8e6b666d5cf07522edd4051a7897a8bb9c4c034b79a9c925a49f1806292e2e07d

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5088-324-0x0000000005DA0000-0x0000000005DB0000-memory.dmp

memory/392-325-0x00000000041C0000-0x00000000045BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 424e1365ef6c1fa911410d32130cdac5
SHA1 2765c3919c96d3dc09fef2296368a05f3ceacb60
SHA256 d76538f1f64b71cb6f2771d49dbc86a438bbe34f9478b60217a036ddd50bb989
SHA512 d7e7a555b014fa931a66d1926260cedd6b0c2026c0295a8b90c1e37e984fe6ae7707b2944e83d5272d200f4498cdd6bbd0d6709519ada6ae89eccaefee7d5e81