Malware Analysis Report

2025-01-23 11:34

Sample ID 231010-1gbpssef55
Target 5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe
SHA256 5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f
Tags
amadey glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat google discovery phishing spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f

Threat Level: Known bad

The file 5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba healer redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat google discovery phishing spyware stealer

Glupteba payload

SmokeLoader

SectopRAT

Amadey

Modifies Windows Defender Real-time Protection settings

Detected google phishing page

RedLine payload

SectopRAT payload

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Detects Healer an antivirus disabler dropper

Healer

Windows security bypass

DcRat

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 21:36

Reported

2023-10-10 23:11

Platform

win10v2004-20230915-en

Max time kernel

86s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4CB6.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5227.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4949.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\50AF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4072 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3228 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4949.exe
PID 3228 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4949.exe
PID 3228 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4949.exe
PID 3228 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe
PID 3228 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe
PID 3228 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe
PID 2112 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4949.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2112 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4949.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2112 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4949.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 3228 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CB6.bat
PID 3228 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CB6.bat
PID 3228 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CB6.bat
PID 1684 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 1684 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 1684 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 3600 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3600 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3600 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 1380 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 1380 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 1380 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 4048 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 4048 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 4048 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 3228 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F95.exe
PID 3228 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F95.exe
PID 3228 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F95.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3228 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\50AF.exe
PID 3228 wrote to memory of 4992 N/A N/A C:\Users\Admin\AppData\Local\Temp\50AF.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2720 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\4C09.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3228 wrote to memory of 3388 N/A N/A C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3228 wrote to memory of 3388 N/A N/A C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3228 wrote to memory of 3388 N/A N/A C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3912 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4CB6.bat C:\Windows\system32\cmd.exe
PID 3912 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\4CB6.bat C:\Windows\system32\cmd.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5092 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2564 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\4F95.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe

"C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 284

C:\Users\Admin\AppData\Local\Temp\4949.exe

C:\Users\Admin\AppData\Local\Temp\4949.exe

C:\Users\Admin\AppData\Local\Temp\4C09.exe

C:\Users\Admin\AppData\Local\Temp\4C09.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\4CB6.bat

"C:\Users\Admin\AppData\Local\Temp\4CB6.bat"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\50AF.exe

C:\Users\Admin\AppData\Local\Temp\50AF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\4F95.exe

C:\Users\Admin\AppData\Local\Temp\4F95.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2720 -ip 2720

C:\Users\Admin\AppData\Local\Temp\5227.exe

C:\Users\Admin\AppData\Local\Temp\5227.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E98.tmp\4E99.tmp\4E9A.bat C:\Users\Admin\AppData\Local\Temp\4CB6.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 568

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\7DAD.exe

C:\Users\Admin\AppData\Local\Temp\7DAD.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa9d1a46f8,0x7ffa9d1a4708,0x7ffa9d1a4718

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9d1a46f8,0x7ffa9d1a4708,0x7ffa9d1a4718

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8332411986486653737,281644511056156007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2842092798297241418,10886087128803160381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\BD28.exe

C:\Users\Admin\AppData\Local\Temp\BD28.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C518.exe

C:\Users\Admin\AppData\Local\Temp\C518.exe

C:\Users\Admin\AppData\Local\Temp\D2B6.exe

C:\Users\Admin\AppData\Local\Temp\D2B6.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp

Files

memory/4944-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4944-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3228-2-0x0000000000A90000-0x0000000000AA6000-memory.dmp

memory/4944-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4949.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\4949.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\4C09.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\4C09.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\4CB6.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4CB6.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\4CB6.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\4F95.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\4F95.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\50AF.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3096-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4992-68-0x00000000001B0000-0x00000000001BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\50AF.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/3096-65-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3096-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5227.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3096-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4992-76-0x00007FFA9ABA0000-0x00007FFA9B661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5227.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3920-80-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3920-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1520-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3920-79-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3096-86-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\4E98.tmp\4E99.tmp\4E9A.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/1520-93-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/4992-94-0x00007FFA9ABA0000-0x00007FFA9B661000-memory.dmp

memory/1520-96-0x0000000072730000-0x0000000072EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hH861vm.exe

MD5 cded7d5b117a56fe62558b4e745efcb1
SHA1 f5f0d4f7533e696b778d9f70ebf17dbfe4eadea8
SHA256 24d936540c5d20b1ad3d87c3c18e2cb735193551f02cb9b90656bfea9a7cdafb
SHA512 4cbce60d1b25169369b979f283747f36b969cdc0fba9062b77877eef3c6178f8e88c5503d7d745b4a6f30b73ae6423af4feeca3cab26c765b65f053c56f85696

memory/1016-101-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/1016-100-0x00000000002C0000-0x00000000002FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DAD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\7DAD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1016-107-0x0000000007530000-0x0000000007AD4000-memory.dmp

memory/4992-106-0x00007FFA9ABA0000-0x00007FFA9B661000-memory.dmp

memory/2420-108-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/2420-110-0x0000000000550000-0x000000000147A000-memory.dmp

memory/1520-109-0x0000000007AB0000-0x0000000007B42000-memory.dmp

memory/1016-112-0x00000000072D0000-0x00000000072E0000-memory.dmp

memory/1520-114-0x0000000007CF0000-0x0000000007D00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1520-124-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1520-146-0x0000000007E10000-0x0000000007F1A000-memory.dmp

memory/1016-140-0x0000000008100000-0x0000000008718000-memory.dmp

memory/1016-148-0x0000000007320000-0x0000000007332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1520-152-0x0000000007D80000-0x0000000007DBC000-memory.dmp

memory/2564-155-0x0000000000CC0000-0x00000000011D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1016-161-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2564-153-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/2564-170-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/2564-171-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/2564-178-0x0000000005A80000-0x0000000005A81000-memory.dmp

\??\pipe\LOCAL\crashpad_3088_ZIWICWRJXZOZYVFP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2420-169-0x0000000072730000-0x0000000072EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22a29b70a0feb97bb442043c47a2c2b3
SHA1 129282f7d720fceb19915cdb6bdfbb9fced1708f
SHA256 e862546b7b4eebe3c1c814c2e4baeb1d734719a836d9aa983fdc0f8a877ad941
SHA512 9ebdc9f7a3004b6c055d28dd2844180819ce80fc29ba688b75c6284539f817638494c63c76128b0cd29688b534b40e961e1aa5b044aa408d322324573d9dcd74

memory/3236-201-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/3236-200-0x0000000002480000-0x0000000002580000-memory.dmp

memory/4556-207-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/1016-214-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/4556-215-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a8aa0c8db862eeb7ec9f995828a77c5
SHA1 74ad55977b8a3f56a42867c6f44091521e1201c4
SHA256 80d6c157bb7c083fae772d8646209b430c131de3ad066a8208aac891b35ff264
SHA512 c2ed53337d098295e0e6022a36d5666c03c45708c7fc1f003a87e607df3b6f46313f7d96b4eaf1a6473489c6d71b3a9192f4f536ececdb0eb0c982cf1f526c7c

memory/1016-217-0x00000000072D0000-0x00000000072E0000-memory.dmp

memory/1520-218-0x0000000007CF0000-0x0000000007D00000-memory.dmp

memory/3308-219-0x0000000004280000-0x0000000004682000-memory.dmp

memory/3308-220-0x0000000004790000-0x000000000507B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD28.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/3308-224-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD28.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4032-243-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2564-278-0x0000000072730000-0x0000000072EE0000-memory.dmp

memory/4556-281-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3228-280-0x00000000029B0000-0x00000000029C6000-memory.dmp

memory/3308-279-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C518.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

\??\pipe\LOCAL\crashpad_3816_KBPQYGBJWCZIOJBA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1584-304-0x00007FF7979E0000-0x00007FF797F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C518.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2564-306-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/4032-308-0x00000000006E0000-0x000000000073A000-memory.dmp

memory/4032-312-0x0000000072730000-0x0000000072EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD28.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\BD28.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\D2B6.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/5428-320-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/5428-322-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:36

Reported

2023-10-10 23:11

Platform

win7-20230831-en

Max time kernel

144s

Max time network

181s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A3B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B16.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4E23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5556.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hcegsur N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BD00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5556.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BD00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BD00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\87AD.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\34C6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231010231042.cab N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1CA34311-67C2-11EE-9A91-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C3258D1-67C2-11EE-9A91-FAA3B8E0C052} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302182f9cefbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403141261" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000d976820991a6319c1a8292c42db9d3b1ccf5f69515622617df6280ad5bfc9d07000000000e8000000002000020000000684719e5ac01369915a3ad7bae26c78eaedcac27f6a691643722d5f4685d6cc190000000f067bcc5b53f43b49fd91cc495b10032dd476a8a492beb602e4235c33f22358c87d5f22462681ef3cf9729b9381fb9ec211f61dece451be63ca138781e481e14023fe90887cf7878c2a665a698012973583d0268b5773527c5c036c896cd86bde717240aaf508de297457ea998293baeb327ca6b350b3edcb9ea5cdc2482dd0534067a9aba84e3c9c88e544de815a5ea400000003c1a443401eb50b8546b120a1f2c918f4dc06b902ba20234be24cc6bc6b55096f4c6caeec595cad9df28f32bafbb976a9c1860775acae886551011bfb3f048d9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000002f96fd03850685302688e5d76e256869d0bb2160cf074990ff5fdeab06af0774000000000e800000000200002000000076989addcc4b31db8c694b6335f810c2fbfac955a02bf88947e8b594b53bf47120000000a376f3e1612d1e2926bb39bc9064abb8fe545d2f93f78400942a87e854c1ad3140000000e57b74bbb1b411d73aa67d0263e5436abc082caf5c4d60d517cfaea6ef071dcc6f382c4d5c53e278915277c1720cd001e7a48a024ff3354a7c6d3c1aa72af25f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52E5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A47.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe C:\Windows\SysWOW64\WerFault.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34C6.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 2528 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\34C6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe
PID 1308 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4A3B.exe
PID 1308 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4A3B.exe
PID 1308 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4A3B.exe
PID 1308 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4A3B.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 2504 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe
PID 1308 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B16.bat
PID 1308 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B16.bat
PID 1308 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B16.bat
PID 1308 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B16.bat
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 3008 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2880 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe
PID 2836 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\4B16.bat C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\4B16.bat C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\4B16.bat C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\4B16.bat C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 1932 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe
PID 1932 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe

"C:\Users\Admin\AppData\Local\Temp\5f7cb41fa610ede3759b974c250e79f89a9046a9814b4c2d867272e58b830c0f_JC.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 76

C:\Users\Admin\AppData\Local\Temp\34C6.exe

C:\Users\Admin\AppData\Local\Temp\34C6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

C:\Users\Admin\AppData\Local\Temp\4A3B.exe

C:\Users\Admin\AppData\Local\Temp\4A3B.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

C:\Users\Admin\AppData\Local\Temp\4B16.bat

"C:\Users\Admin\AppData\Local\Temp\4B16.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4BEE.tmp\4BFF.tmp\4C00.bat C:\Users\Admin\AppData\Local\Temp\4B16.bat"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

C:\Users\Admin\AppData\Local\Temp\4E23.exe

C:\Users\Admin\AppData\Local\Temp\4E23.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\52E5.exe

C:\Users\Admin\AppData\Local\Temp\52E5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 132

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\5556.exe

C:\Users\Admin\AppData\Local\Temp\5556.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275458 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {E084F940-2770-4969-B818-DBF630FF700A} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\87AD.exe

C:\Users\Admin\AppData\Local\Temp\87AD.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\hcegsur

C:\Users\Admin\AppData\Roaming\hcegsur

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\BD00.exe

C:\Users\Admin\AppData\Local\Temp\BD00.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 524

C:\Users\Admin\AppData\Local\Temp\4AA.exe

C:\Users\Admin\AppData\Local\Temp\4AA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 508

C:\Users\Admin\AppData\Local\Temp\A47.exe

C:\Users\Admin\AppData\Local\Temp\A47.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010231042.log C:\Windows\Logs\CBS\CbsPersist_20231010231042.cab

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8361546C-99FB-4902-86B1-634B3FD8F243} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1199561010-958458819-2013296478-1262857352-592385080-1620872799-4373208-545946168"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.251.36.14:443 accounts.youtube.com tcp
NL 142.251.36.14:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 15c71257-c12d-496c-a308-6735eba895dd.uuid.cdntokiog.studio udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp

Files

memory/2916-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2916-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2916-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2916-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2916-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1308-5-0x0000000002B10000-0x0000000002B26000-memory.dmp

memory/2916-7-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C6.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

C:\Users\Admin\AppData\Local\Temp\34C6.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\34C6.exe

MD5 839f8fc33a04de86e8d5994b2aa6aea0
SHA1 5cb533c20d178bf038d2da2c61eb95bc26433e7c
SHA256 a6d5771ff701fc2702cf698c991c88429f6d840c02b081c68bd2164e40aa71db
SHA512 f53a78336f45421ab3c3bea36e4e7f3f9e7db0a1e6463261c82f4fc48ef9c4a238f1d23e3ea79850d1c117a7d7090b109c04c3da7775ee4528c227820bfee664

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kx4St2pf.exe

MD5 e82f10ca30c3674b591ba3761a00ff50
SHA1 e751249903f3eeaab829b9cb8e8ae4219222cd23
SHA256 348da7ee617303b87e3334a8857e346309aaf245a78402dec95bf006b54dc6a9
SHA512 9c1d2a823d8856ec9547eef550484b081bd9ce9527fbbe2bbe7c9988c817eb1dce2a963233175c77c9f9137e4a9c012b65de78e29722b14c36eb004f0d30e8d3

C:\Users\Admin\AppData\Local\Temp\4A3B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IB0tc6CQ.exe

MD5 49984d4611ca7c02b606d50a958ddd24
SHA1 836a4d3d4cd8baab3a823750e4d44e0c58001dd8
SHA256 205d80759c8ddf3f0730c60c7f9090305e6b99627dce06edded9807b19dd85c5
SHA512 16d2b04a53cda812057d531ccac485a2e41abd12ca5161b09c5594f98bf44e27fa85f89f9ca02144a2d1d55f64f6ad821f893da6994ebcd90c6a5b42b91087ed

C:\Users\Admin\AppData\Local\Temp\4B16.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4B16.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ok8bG1wv.exe

MD5 590173d0a05e97556709039366f07fea
SHA1 4402d6ea0d867c33ae1e852bb357053d01551e02
SHA256 0b4a5327d31e581553a6966ea7e298c50667f241de97b21af50cfb6c81c800e6
SHA512 b220273d2bbcb3fca40463cd034bbe6d00d4019b25e7918f8f16e6e93a9244f3b38b7e7a490a74de0e9fc216ef4a37872cf36c5a053af30ad31d7cf9623045fa

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FG2wS5ol.exe

MD5 648ba0e942d7d0193ff347f9c3abd5e8
SHA1 ef7f4e5743b988a622664b53ed661badfd790c49
SHA256 9213f30827cb1420d351655a57791de3445ded1cd03c40df0bea9e765c1368ba
SHA512 e559614e1c401d7073880d09ec720c09db0f631cc57104e07d600e6c286b1f9aebe010ac9f5c87c9122b95cf228fb6a3818217ff4e3b90a2d2263a95811c12b1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\4BEE.tmp\4BFF.tmp\4C00.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\4E23.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\4A3B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\4A3B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\4A3B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

C:\Users\Admin\AppData\Local\Temp\52E5.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\52E5.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\4A3B.exe

MD5 a3935470ac75a6b353ae690082b55292
SHA1 40408e4df6dc3f8b94b79b64fdaf39a2c6a06d86
SHA256 001a4c426890691c8daff98d7345167b59218d86e1b7dd0d0ffc1fbe58612d32
SHA512 f7bf7f074a5937fa9f04eeba5b8cf89270fca422d3f8701c753a22f77d359be7893627148d95aa954fd2473c7aecf085889ec1dff4958e06ef25f88785c20bde

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OG42Qe5.exe

MD5 7bbb81dd416c9095b091a8928f9f417e
SHA1 5ad4f96fe96dac9fa3b5151cb2da8aeea7818821
SHA256 920d9f07530945a025bc7b108a6b076b5cbd3cab0e040e12c1fe730673786441
SHA512 e518b5bdf2b6f52ef2e8dac7673110eb36ed4cfa9c50dfaec94e60ca727e3acbd56a15b5e5773ef716a5adb78051fe0913c6c8ca2a48994517604bad287790ee

memory/1760-127-0x0000000000370000-0x000000000037A000-memory.dmp

\Users\Admin\AppData\Local\Temp\4E23.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\4E23.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\4E23.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

\Users\Admin\AppData\Local\Temp\4E23.exe

MD5 93990eb50d3989187d96bbb7ee7307d2
SHA1 1677aed3760a6348b97aa163134d23b49b7ed298
SHA256 25c69320a3d9cd10abae8aaf565082a44158ee506173030e741e9c44d08fed6e
SHA512 e32474eaf50b378011af84b627de25a9b13fc8608aaa71135990bd0fb89c589a24ab33a299dc22247908e6617856b7a940d004e73fd0adde847590fcbcb89a95

C:\Users\Admin\AppData\Local\Temp\5556.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\5556.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1760-157-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1C3258D1-67C2-11EE-9A91-FAA3B8E0C052}.dat

MD5 d5026e570f01320a9fc92dffb698adca
SHA1 a8021cb0513ec96b739431212e22057bc24836aa
SHA256 0261e64ea7019c8df538c6aaae5cc4c9a8a26babbd2cd96136990b2afa4dbd1e
SHA512 c79a62f26895ea59bfd7525dda83df55c5ea01a70cfa6d0ac5790edde2f520ca7d59c141742c02cc048186ee5c368eceda1385d9c28df734f1752ce86ffbdb32

C:\Users\Admin\AppData\Local\Temp\Cab5DF8.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar5E7A.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c60b1a26201ac61343fc559977c22495
SHA1 632d199df0ac18fd85278b005d31fa96e4da47f5
SHA256 4c63d602c6e4a9f6ac230a2bdf96c9c3fca093da4d7ff3572e4134d445689009
SHA512 d9e8c643c38d813cdfef300432122d89954fce1d3a2d4f0959d864f8b8728383e3454b68083ed1df8d580381f7c91f1797299482d12be18486e881ca3d81d663

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c60b1a26201ac61343fc559977c22495
SHA1 632d199df0ac18fd85278b005d31fa96e4da47f5
SHA256 4c63d602c6e4a9f6ac230a2bdf96c9c3fca093da4d7ff3572e4134d445689009
SHA512 d9e8c643c38d813cdfef300432122d89954fce1d3a2d4f0959d864f8b8728383e3454b68083ed1df8d580381f7c91f1797299482d12be18486e881ca3d81d663

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e62d85ccc4c3595cd4221eb5c495eec0
SHA1 afaa57ab7f57a42dc6673e9c31e07c19e97133ee
SHA256 879a5677cda3d9b9ab60cbd1f4feef2af924e060bfbb83c70a2581576d780d00
SHA512 8a5dcbd90b0eb4ce9221579bcdf0267d4488fba63bb3c884fc39f7dd78d99c2cbe5c403f32d163011d386e00eaedf9bf38c2380a2a37f5ee1159e1ee4da44417

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e62d85ccc4c3595cd4221eb5c495eec0
SHA1 afaa57ab7f57a42dc6673e9c31e07c19e97133ee
SHA256 879a5677cda3d9b9ab60cbd1f4feef2af924e060bfbb83c70a2581576d780d00
SHA512 8a5dcbd90b0eb4ce9221579bcdf0267d4488fba63bb3c884fc39f7dd78d99c2cbe5c403f32d163011d386e00eaedf9bf38c2380a2a37f5ee1159e1ee4da44417

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XQ8ZHSDO\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 fdf4ea4dd607dc06d7ab7b9dfbe8911a
SHA1 797ab581282da331350d686e054e62b3bffac244
SHA256 c7fad93fa57af41e9ca16047bd7c1528787655cca58d452514662b2937bde8d2
SHA512 46e10f0c42072b1f31e4277d480097f6842b5170b310c2d584fdcedb9bfd5febb1878886ef6b42f2e6e9a75c346de038d0e80e183ae7d087f888dac720c2ee4f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 6c2b9eb7b735c9d9905f0420d362cef2
SHA1 d9b1fd7b2a0f0a2c1fd081d29f080397aabee116
SHA256 bc3d7d8d0108586052ad909257eb5ae06fb5bfedf1fb2ba8ba6f5ea54fc64a30
SHA512 91bd1a3758323f148daeb87bd529b4cf2609741ec2944cc0cc9432b648902bcc956402116eea10ca9b4896d0179dab9dde645a1d58be93a19f5eb7182d4580d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9T67D7I\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1760-482-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4384142b8bc84806509134d1fc73fedc
SHA1 6a06cb716994517e4284a1b02f96cb71e1461a30
SHA256 17abfa00291ac7a05cd54fcf520153d795fa698e3032a5d2396eb06207e95657
SHA512 382eded9da042912e03d25e487347e2043219ae6df94f33abfc87ad8483c3b9251721aeeae9eb59a9374d11a5f52fd0ad628bc0ed440bcf15052b0a53857ccb9

memory/1760-517-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 190dc95fa4bcf9f08b3a788e8ad30ba6
SHA1 a3efb4d9a7fc6818de7ae5392e4d67d19d65cb14
SHA256 7de375cf6afd4ebd856d08bba8bfe15a4af3a3e35273e110c5aceaaebcb7f949
SHA512 cd96951ca89f83ef3d82714863342c8697ea36c7d7d488144af19abc9033882777aac364510b7baa859b4345d2ecf74cac4f13dadb31beb0199384297190a9c2

C:\Users\Admin\AppData\Local\Temp\87AD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\87AD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Roaming\hcegsur

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\hcegsur

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3c9d204073e2656946d3762f5bceb5
SHA1 94b66cef878a9b04256971d99b53a44f3e97c39f
SHA256 67450faf0a8490aad0cb3d20c7e6fcc6e8d7e7c2e4b9f2377d9d56282f0d4df9
SHA512 484573631fc978f2750b5bd3207510f1114ac77e0b2024b4c41d721785e3d12e619a9176f04d267814feaea433217dc638a9f63b9ad540a877628c0c23fe9efb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7624ac3a719a03ebb49fe8d28ab46a3c
SHA1 8a64bd3a701ab7f3a8cea6aa9481d559a39667e7
SHA256 cd6953bc82f3456dd907402a74d5502f5b88a64e4713e05fdfded2c85ccd417b
SHA512 553c02de7775f63cb1daa1df1e204877d14a7df7ef6a8f334f7bcc414bfca94d7d8625f3836620b4fc85bf4aa660bc76769950d78f8acce256de301a2506da9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec07f9beff12a275497d7f16819ae0cb
SHA1 43ed754dfcd00a095097e99c3f3b2f4d7e3532b4
SHA256 dd3091b9098cf68748a3a3e92a6b95883bc4c0e81d6a2f0e2c8988e9384807db
SHA512 e49c8274346e697ed439c9983b7b939bff53e3cd7a55135cc0bb8d2ad438c167b94b32d1dfcb6b40b34906b47fb75554868bb034b0ea999a105b778ef731a8fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 313b1ee1111d6070296cc303a51291ef
SHA1 f1edfe6aefbb2e683ba3f47eda2467ca5c3281dc
SHA256 e732cc2c4b1aa5bf06bcf4d4e5d6aa1a93cc34f6e579bda9983f4828dcd20f3e
SHA512 5dd281f118ace0395d086d3758b8c2e1129f1697f3bc9d1323633cb791bf724d3cd3475d0a72a980f2f5286cb0503db3b76d111f6f53606daf504018c2057815

memory/2064-767-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/2064-814-0x00000000012A0000-0x00000000021CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2872-945-0x0000000003F90000-0x0000000004388000-memory.dmp

memory/2064-946-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/3004-947-0x0000000002460000-0x0000000002560000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\BD00.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2872-955-0x0000000003F90000-0x0000000004388000-memory.dmp

memory/812-954-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3004-948-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2872-958-0x0000000004390000-0x0000000004C7B000-memory.dmp

memory/812-959-0x0000000000400000-0x0000000000409000-memory.dmp

memory/812-957-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1048-964-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/1456-965-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1048-968-0x00000000011D0000-0x00000000016E6000-memory.dmp

memory/1456-966-0x0000000000230000-0x000000000028A000-memory.dmp

memory/1456-971-0x0000000070410000-0x0000000070AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4AA.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2064-974-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/2936-979-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2936-980-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2872-984-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2872-985-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2936-989-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/1048-992-0x0000000000E70000-0x0000000000EB0000-memory.dmp

memory/1048-991-0x0000000000930000-0x0000000000931000-memory.dmp

memory/2156-990-0x00000000009F0000-0x0000000000A0E000-memory.dmp

memory/2156-993-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/812-995-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1308-994-0x00000000039B0000-0x00000000039C6000-memory.dmp

memory/2872-999-0x0000000004390000-0x0000000004C7B000-memory.dmp

memory/2156-1000-0x0000000002010000-0x0000000002050000-memory.dmp

memory/1048-1001-0x0000000070410000-0x0000000070AFE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1456-1013-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2872-1014-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1456-1015-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/2840-1016-0x00000000040E0000-0x00000000044D8000-memory.dmp

memory/2840-1017-0x00000000040E0000-0x00000000044D8000-memory.dmp

memory/2840-1018-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2072-1019-0x000000013F0C0000-0x000000013F661000-memory.dmp

memory/1048-1020-0x0000000000E70000-0x0000000000EB0000-memory.dmp

memory/2156-1021-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/2156-1022-0x0000000002010000-0x0000000002050000-memory.dmp

memory/2840-1023-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aaa89d97c81f1464491ca6fd834c7860
SHA1 41774129ef6cb87f337a8c7a1d2cf036fe32ac20
SHA256 6596ebaf247ab54f1325134b5923dfefd2a81d808310d7e42dba3f95bb9da2f1
SHA512 7baffbc88776458694a6669f27cfb37897a08e7e8d2a634785c184e160a5f3beeab826e552ecb6b5ac554df978dc50f36c1efb7fe64b993abc8ea2c04f380a86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 825244a723baa172f5957af3ba1a4d09
SHA1 70d6be61d26394feee62c507ef2814f71629d0b2
SHA256 a3eec03ca041575b2dd0399de2fc8f0379e626cde7142da25d084cde927dc7a2
SHA512 0c6ae71f31e66eb567ebc55d76bdf667f7455cd162e110116c4fa41feb0353f3d94a4558628a686fdc60f07d53743dc8ffd6f3a51e42d7bc123220b27a876364

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b2a39a6e38e178ea69c8360354362c80
SHA1 b5514fb1fb7c38c485fca03b5985c33e1c73a71e
SHA256 a40e1d4790fcb3d297ee5ce6f57423b25f4d4686b6080a33f44a74b695fb4296
SHA512 f714f2b81ebd16b608af95b4ea8c304239eba509de374f7524b8819a211d040998056255379b6d594cc1787e1ce06886525f5e9f3e56fcff7a22a59261934f2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0912c654c5cfe796f14e4a96705dae5
SHA1 027292e0f51811b21d2d5d6cc48a11c10237d569
SHA256 b24b047286f16c9982643a736f77c01400912027978cb3732f8a78c1fb2f74cf
SHA512 29a8eea0cd69817630ab4115facdc470dbe1b665b082e58054f45799a0fcc56d5ee1b087e53bc2df05675def0f7c47a5eedb0b573e6fc4dab6e781b8ea77d436

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 67cbdca2a877b640409c8706b35dee06
SHA1 47ef07b78eaeacb4091b0a3e2cd7622e78400663
SHA256 c88b16ed9dee57a6350202eb89a8197f8adef21b6daad5ea85f0d0fa5b6bdba8
SHA512 a93ba8766b58de53230a6425f87c057f319f84640100a574b3002b6f045d79d965f1dee5f7dd8ea26e4cf0c44ccd88ca7bc9db26203a8df86a8a18d5342e3b39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4ea8bc5cfda8a363f3a4de746932c36
SHA1 ccecd220ffb953f6775292b4a203e8948bf7c1b8
SHA256 16f8be28649ff0b7ce021c0397126a6c264c9c187887dcea45be5bbea5e892e6
SHA512 69950c756f350cba64a6bc1aa3cb7e66af55e254c9d97139da634ddafb3a2a91723a3452c3821f50b56ce0724cc264e52f5d83c16ea8dd2099824b1d6bfbefaa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b89fba0bfb4ae76d890118eaebd83e2f
SHA1 765edd8b58b4693073448a86f8ed6ad811623d7d
SHA256 b4a4e119f08573721c8e10fabed2b2351beeb06d62ae3900b9ab1a729d638aab
SHA512 22728d1cb369c2e9bddc7058dae7a690fd490e19fe701da8e575479fb76b8fc47a3ff531abcaab6cb5f28bf388725956b214162ea3be10a5114319850e736aa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8aac75f7f5bc3a4727810f51122e201a
SHA1 f934f8632c86465ad4625eb0f02ad2ae3474effe
SHA256 53ff9155b5a85881305896307a147de9f93a6816b02c2bcc3b3e74b9d7dad8e7
SHA512 5020b5af6ee3b9250550f850f17e0bca956424fdf62d6c3892b298198168c597a62b00f77a928a252aa6253be44ed89e62111adc3bf87b3953863f67805f9c3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a6d32f5930941759a0fe75f795b4c9b5
SHA1 85ddc5c42a6e584246be6cba9bb5bffd552bc248
SHA256 48d4394415e81837a799fd75d3c20cb0fec8c766da1950b2859a8595bc10e266
SHA512 e7bfd9e376afeaaa1d7cba1e0b43046c70fbff484c1530d02852fd32dd605d3ac94b87c77c8fcb33bb73669a34f05aa122d2fc0682f43c4511e13db4cbd5c1a5

memory/1776-1613-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/1776-1614-0x0000000002250000-0x0000000002258000-memory.dmp

memory/1776-1615-0x000007FEF4300000-0x000007FEF4C9D000-memory.dmp

memory/2840-1616-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1776-1623-0x0000000002574000-0x0000000002577000-memory.dmp

memory/1776-1624-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2840-1621-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1776-1622-0x000007FEF4300000-0x000007FEF4C9D000-memory.dmp

memory/804-1625-0x0000000004080000-0x0000000004478000-memory.dmp

memory/2072-1626-0x000000013F0C0000-0x000000013F661000-memory.dmp

memory/804-1627-0x0000000004080000-0x0000000004478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2ND3J2Q3R9GHW37DUS7Y.temp

MD5 92780413d2465a4870b20c342c4d8452
SHA1 a0b25207be96b65e84c010b2a3b43b96020d465f
SHA256 f11f41981848ff4a34ee8acdfd792a77c59a4feb20f8ecffd587fcf73a17ff7c
SHA512 538f235aa505e5db543ce5be92d79270714db3eb26975a7ee5bdd32016a7e7b8c8fb37b21a1f312630da8d670175d042c010ebf720920f5aa24d9079806e48e9

memory/804-1634-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2004-1633-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/2004-1635-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2004-1636-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

memory/2004-1637-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2004-1638-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2004-1639-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

memory/2004-1640-0x0000000002400000-0x0000000002480000-memory.dmp

memory/2004-1641-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

memory/2072-1643-0x000000013F0C0000-0x000000013F661000-memory.dmp

memory/1776-1645-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/1164-1646-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1048-1667-0x0000000000950000-0x000000000096C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/804-1672-0x0000000004080000-0x0000000004478000-memory.dmp

memory/1164-1673-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1048-1675-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1676-0x0000000000950000-0x0000000000965000-memory.dmp

memory/804-1674-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1048-1678-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1680-0x0000000000950000-0x0000000000965000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1048-1683-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1685-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1687-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1713-0x0000000000950000-0x0000000000965000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCA54.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpCAA8.tmp

MD5 5f358a4b656915069dae00d3580004a1
SHA1 c81e8b6f220818370d47464210c07f0148e36049
SHA256 8917aa7c60dc0d81231fb4be80a0d7b0e934ea298fb486c4bad66ef77bebcf5a
SHA512 d63ebd45d31f596a5c8f4fcc816359a24cbf2d060cb6e6a7648abaf14dc7cf76dda3721c9d19cb7e84eaeb113a3ee1f7be44b743f929de05c66da49c7ba7e97d

memory/1048-1777-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1775-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1779-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1783-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1781-0x0000000000950000-0x0000000000965000-memory.dmp

memory/1048-1784-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2548-1797-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2548-1798-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2548-1807-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1048-1808-0x0000000070410000-0x0000000070AFE000-memory.dmp

memory/2156-1812-0x0000000070410000-0x0000000070AFE000-memory.dmp