Malware Analysis Report

2025-01-23 09:17

Sample ID 231010-y5tjeabb43
Target 52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20
SHA256 52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20

Threat Level: Known bad

The file 52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia

SectopRAT

Windows security bypass

RedLine payload

Detects Healer an antivirus disabler dropper

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

SectopRAT payload

RedLine

Modifies Windows Defender Real-time Protection settings

Detected google phishing page

SmokeLoader

Glupteba

DcRat

Amadey

Healer

Downloads MZ/PE file

Drops file in Drivers directory

Stops running service(s)

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Windows security modification

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:22

Reported

2023-10-10 20:30

Platform

win7-20230831-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED5D.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F1D1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77E5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8889.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gdfvujv N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F433.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D16.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D8C2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010202952.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000092768b8d43d6450b6ccad13f51ae44ac7a726d2a083e4527d415368c16d913d7000000000e8000000002000020000000a8df842a4964677a0acbe195ac561b6b7b541f553c447f4e96e7ff2203333bd9900000008cab52efd007179bb44fd4d769dad8e9e43c8c666cdf9c1f4891a3ef1a3a45954a9cca6b4a67cd5de9a977dbd5c118bc71c7f4eafefb6f90302651bad689edc00ad9fc986206f782d408092e3021497e137208070ddddad3f1df630b510b2fc37907e53783418ab783c9d43e75bff8943dcf1d6ba382216b3a9cbdd6f9f4a06180bab74bd0cff85554554d68fb053abc40000000abcf9a564f30b45d720e6b751a3fad4c069f494ae6c5571d2d3adcbb148520b411cd5d3e68eaf428c95d8e43e6b41d907272dc502eca837efa7db6dd5309eb91 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef0000000002000000000010660000000100002000000061aa782ea56c0da9b6d0babd0584b0607d55ca29330de25bd6da37bee278a044000000000e8000000002000020000000d7d1e4674dd90f367fff8e9e9b0a9f27c5a69bf7571a7f317f5b06fb0209e15d20000000637f11aa7928a77a4eff34bb13f6a53ed06ace0c347bf9cce2890c0ffaec21b7400000004a8228c6bd3b2d62aedc2e1aeae146b03828e85c24e2e8abb6179b23f981753e8fc12bd176bd034cb8d15f4f0f5beca2a3b702a13077c8fbe983ea6132e2a4c0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0fa9783b8fbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403131614" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4DE4251-67AB-11EE-B92B-5EF5C936A496} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4C67491-67AB-11EE-B92B-5EF5C936A496} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F2AC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8889.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9E99.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77E5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2036 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\SysWOW64\WerFault.exe
PID 2036 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\SysWOW64\WerFault.exe
PID 2036 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\SysWOW64\WerFault.exe
PID 2036 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\SysWOW64\WerFault.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 1280 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2560 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 2516 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 1280 wrote to memory of 2364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA41.exe
PID 1280 wrote to memory of 2364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA41.exe
PID 1280 wrote to memory of 2364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA41.exe
PID 1280 wrote to memory of 2364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA41.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3036 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2876 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 3012 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 2364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe C:\Windows\SysWOW64\WerFault.exe
PID 2364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\EA41.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe

"C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 68

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

C:\Users\Admin\AppData\Local\Temp\EA41.exe

C:\Users\Admin\AppData\Local\Temp\EA41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 132

C:\Users\Admin\AppData\Local\Temp\ED5D.bat

"C:\Users\Admin\AppData\Local\Temp\ED5D.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EE07.tmp\EE08.tmp\EE09.bat C:\Users\Admin\AppData\Local\Temp\ED5D.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:340993 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\F1D1.exe

C:\Users\Admin\AppData\Local\Temp\F1D1.exe

C:\Users\Admin\AppData\Local\Temp\F2AC.exe

C:\Users\Admin\AppData\Local\Temp\F2AC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 132

C:\Users\Admin\AppData\Local\Temp\F433.exe

C:\Users\Admin\AppData\Local\Temp\F433.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3D16.exe

C:\Users\Admin\AppData\Local\Temp\3D16.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\77E5.exe

C:\Users\Admin\AppData\Local\Temp\77E5.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\8889.exe

C:\Users\Admin\AppData\Local\Temp\8889.exe

C:\Users\Admin\AppData\Local\Temp\9E99.exe

C:\Users\Admin\AppData\Local\Temp\9E99.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010202952.log C:\Windows\Logs\CBS\CbsPersist_20231010202952.cab

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {E99EB3EE-0D3F-4E84-9140-6B54A80CCB82} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\gdfvujv

C:\Users\Admin\AppData\Roaming\gdfvujv

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {CCE22590-41BB-4282-9B79-AA00DD7B08E0} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 108.177.119.102:443 accounts.youtube.com tcp
US 108.177.119.102:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp

Files

memory/2940-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2940-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2940-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2940-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2940-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1280-5-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

memory/2940-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

MD5 521b301f03de5c5a4ff888ca5c18959e
SHA1 2cd040fdf4dbb80e180a9935dbb7f8908b1f522d
SHA256 c2216e3af5c696540b9ed3fd41f0bb87ae9c39615bcee3fb64157770865d8e2f
SHA512 464277c111bb8fb998946206ba24c0120583d21bd2c3324b3babbe4e22b5d075ce4d4d618680af4ec5633d151b2d4e7791099f9fe5e8772f496aedf48e8066e3

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

MD5 521b301f03de5c5a4ff888ca5c18959e
SHA1 2cd040fdf4dbb80e180a9935dbb7f8908b1f522d
SHA256 c2216e3af5c696540b9ed3fd41f0bb87ae9c39615bcee3fb64157770865d8e2f
SHA512 464277c111bb8fb998946206ba24c0120583d21bd2c3324b3babbe4e22b5d075ce4d4d618680af4ec5633d151b2d4e7791099f9fe5e8772f496aedf48e8066e3

\Users\Admin\AppData\Local\Temp\D8C2.exe

MD5 521b301f03de5c5a4ff888ca5c18959e
SHA1 2cd040fdf4dbb80e180a9935dbb7f8908b1f522d
SHA256 c2216e3af5c696540b9ed3fd41f0bb87ae9c39615bcee3fb64157770865d8e2f
SHA512 464277c111bb8fb998946206ba24c0120583d21bd2c3324b3babbe4e22b5d075ce4d4d618680af4ec5633d151b2d4e7791099f9fe5e8772f496aedf48e8066e3

\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

C:\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\ED5D.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\ED5D.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\EA41.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\EE07.tmp\EE08.tmp\EE09.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

C:\Users\Admin\AppData\Local\Temp\F1D1.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\F2AC.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F2AC.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1772-142-0x00000000002C0000-0x00000000002CA000-memory.dmp

memory/1772-144-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F433.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\F1D1.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

\Users\Admin\AppData\Local\Temp\F1D1.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F433.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\F1D1.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

\Users\Admin\AppData\Local\Temp\F1D1.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A4C67491-67AB-11EE-B92B-5EF5C936A496}.dat

MD5 8d602ba960d5a8768cd0ac9856073e46
SHA1 149461c31fac722e55170e060aedbc66b7546257
SHA256 462ca46b5b6c60927532bf330e1e531f20087f1b95105f8e1312963c53a8d4bc
SHA512 dedbb8d8660a4feb67e7b09add66e012e88dee8b8814e9781f73731a9e4aea95d7f63220196a73adde0de5887cd93636f13d19427450d37ac66b9692ef4112cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e217f6bbf20922798ff742a8c6e66fe
SHA1 8c0ca735a7aa5d2d23e0c229f0ac2b2e6513cf1c
SHA256 af54de58c42250cc65f9fdbfcd1ee8f9d2f7cb9e98efbf6458ceb40b16147768
SHA512 977033168c4772954d5f422093ba49c069cffb49e70e32d7ec9e6d284327af77f48fc7beaa02e20f3493660c3228f252fd86dfb7bf6c7bc81a525cb30dbfd4af

C:\Users\Admin\AppData\Local\Temp\CabF805.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarF827.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06244c6b37b830b3bc25daa4af7d9059
SHA1 edfb0eed11b25bc31ef07b38666fe48a5ae33ed3
SHA256 154d90292923c85f7904b751abfa364039d882c425a42c4fbd26695610d50a72
SHA512 4d6f704ecc4b18fe4ad639cef00f922dd8fdccb5e4b510fc80678c78cbafff8a79ca09f55a4937dfe549c99cca28fed8f38338827eeec26ece10e602e34458a7

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cef296e775d0e51dee91cb02893c8693
SHA1 237ca12ea61fc18ac7603de37b68d051c94b39f4
SHA256 042934b9b4c886cec9f46d18896d403ecf4c0838d4321d3c7285027063b895a0
SHA512 f8cce082f4eaaa4582562f841d3b0824bc23d89cedbd197f9c5df8b2e092bd0c04fd609fc5ecb696a1e78cec1b6451b36763ceacb05162c6b45ab19835b7d3d1

memory/1772-305-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5Y4CXW2F\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 5b157622b5c73aaadbc23445f8555fff
SHA1 bc8ddaec7389e33d8ba1ce741fd50fc2a0ef9e2d
SHA256 eaed6fa8a1bd17e275d4cfd937732c71d2e119baa0cebe3886e549b1b231e08c
SHA512 65462791980ae57e4f1592815bab822bdb3bbc4ceb957d51b05c7cc9812c1dbef52748d7dc98883583e95d90948a80971465e4448ca43e206b376b39e573cbe5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O2X6Y6U3\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 cddb286c07b8002c0005c5262cb9e7e5
SHA1 2591d28a8fbfbd31811fc64f6d21dbb2df30235b
SHA256 4fa21f1641493ae37bb49ed9597823f11c681a8cc3cf5a470342a9d7689f6e94
SHA512 e21946ad4589ef809269550f21405679e93fbfb93005c42021d00606723796fea6fbfbcdab97304a670ef5fa76135fa07d87918230ca360fbe59e38437f78968

memory/1772-483-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 631a22678f080474839b68c7acfedb82
SHA1 34a983c7746cc7863313a3d9411890630d5caf92
SHA256 f5ae5677756f3ebcfa03ac0655417e285b6edf17e23795a2e57bbb89c4a0ec93
SHA512 e54ec4a810af1a748143089e4f49e947b6ae58b39e4c8412bd871985356745795c07245275e21bef621f56ceacb72407939ec849fff01b20e68b53329a32e202

C:\Users\Admin\AppData\Local\Temp\3D16.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f220a586d4048921b49a22d3b093b69c
SHA1 93be4a5541f0ce75fa5cb5da8b8faecd6b9295f0
SHA256 ad89464cf17de8bb02640d9684c1d716e11ca71f2e3c23a6ff6f2c1ab2a4b6cf
SHA512 2000da41a0dea37b50c03eb718f8f5e9465855bed7ca9ac9bac408d47a7d43f463e9e74866abc7518857c699ef5e8f207b27a997381c2fbeed5d86aa7d615e86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b92277420bf2f4b7e404f603fd41f83d
SHA1 2b5eea8a69f63d9f48f4b081ec94af2a7369553d
SHA256 555c67050db55d001225a7e6ec3e70317a3b2ead993a0ac1b5e472dc305a8b86
SHA512 cd8ecd2fc6fe601d68a19b0a3e06855709bcabf1e40c7303f71cbc9dc28da0c860de4b1c5f1255ef3f09c96ef872089c0b6ff0393fe3370bb1b5faefc03006db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9096393986b48dde4e9a19d270658cd
SHA1 9656e6b96566cd7161eebb3806b5f8e128724d83
SHA256 76421aa2c5bf4e56635a4d624faf45baad892fbaf0d3479e5307965ff50051d6
SHA512 f19e0915e96ada4971c34856f5a58d7ddda7ee2b136b9b8f4b5172c19e8cba3a00e256c229dd033125464099c1f6b19ed0b6de3d6221819f0daa0388c66a6a1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9459264d81569cd39fab3fc24ab5f14b
SHA1 ff84593e3ce3e4a213af4fc11668dce0de546296
SHA256 1c3f1544dab90f577fd379d683d4ff22aa7f687b6b83e254eca64801109d7ffd
SHA512 25021081b655bf48f4f8da1274f73f18b35c15d89a702764817d319c5d9cc007d2fbf23830dc13b766cd3596f6fb2eecd727af5215a2404e7e2a8c29a50c98c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 595997093e8b77c2c69bfb6a276ce0bb
SHA1 155d3332fb7c77d8ca6fe58c9289136d8f4240a0
SHA256 22b82aaffcb40ae8f7f36155d48e3c2a14d70bd5f935e375c763de62fcc01348
SHA512 def86ccb94a551ab9ce339db081b7a1d353f25fae5eb9e87165f44a151b0ceef3bf5da7e6eccf321243a2f3000ec099c474f180ddd95ea07e441ee9434061f03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dce3d3e6f793b370010e66e9b8bd268
SHA1 272a826e9ad0aabfd7395783ed2df4fa74e5d30d
SHA256 3d4b1d19e168f19cb536191286908510348b027727671cd873698d89be061754
SHA512 9ed839efb97a3729acca5d9d473919f78ca31ad2b272bac3a3d725f370528e1a173d496462dc43175a7ab494d5e2b3ddd4b58759ca1d2de0ea1fa262a882f8f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dce3d3e6f793b370010e66e9b8bd268
SHA1 272a826e9ad0aabfd7395783ed2df4fa74e5d30d
SHA256 3d4b1d19e168f19cb536191286908510348b027727671cd873698d89be061754
SHA512 9ed839efb97a3729acca5d9d473919f78ca31ad2b272bac3a3d725f370528e1a173d496462dc43175a7ab494d5e2b3ddd4b58759ca1d2de0ea1fa262a882f8f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99692dd3412fadfc5cd2a1de78c5c8ea
SHA1 2c42d315f9a970ff2427f9b27e69340be697b4fc
SHA256 c58907cc0009f155748dad06881ff5020e731d3a7dba99f90fc727aa1b7a451b
SHA512 9581bcf1b11e54c1f9f8de9f003ee52fdfc083de89e13ca62af067a279e53065e6fa5be66f5d402fae6ad080331d337c72efb6009265d8963686e22aab9ed346

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d31c0bac3460b28eceb6d624f8c167f7
SHA1 58c2bd2980367fb69bd4d99b192602e883030d6e
SHA256 a41e8d53e466fa80083acbc6a85750b616cbb9bc53f65fc88b24c31f9b54e829
SHA512 74ed0a9210f9084abe6c878c2856f23b31ed42c76a98e94d35a9d2d97ef5d029b702cdc8770c4a014f955bfc6032a9c6b3cc2888b61b7b40bcbb52e0109d35d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 65025083d1664bfd5921394906127698
SHA1 87e11ee9959b84c913a3531fff4fa8a2a25477e5
SHA256 6ed69822d1328d91bb5b02c000c86a414ba91ef7b87920c547cbde3a65a8d338
SHA512 7c92dbff87bf39ce2e0d06a0056341a39d589ea214d52c67daf98c945144b3d68dfb854a0a8430cb88d2e8065dc730d454b7041e31b15fe8bc9490de388f0b20

C:\Users\Admin\AppData\Local\Temp\3D16.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1256-918-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1256-919-0x0000000000E40000-0x0000000001D6A000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/2232-947-0x0000000070D30000-0x000000007141E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77E5.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2232-953-0x0000000000300000-0x0000000000816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\77E5.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2892-956-0x00000000023F0000-0x00000000024F0000-memory.dmp

memory/2396-959-0x00000000002D0000-0x000000000032A000-memory.dmp

memory/2396-958-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/2360-966-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1256-964-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/2360-968-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2360-969-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2360-971-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1888-970-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/2396-972-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/2892-957-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1888-973-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/1888-974-0x0000000004370000-0x0000000004C5B000-memory.dmp

memory/2232-976-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1280-977-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

memory/2360-978-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8889.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1888-986-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1888-988-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3004-991-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/2688-992-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2396-994-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1888-996-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/2688-998-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3004-999-0x0000000000B00000-0x0000000000B1E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Temp\tmpD664.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpD754.tmp

MD5 ec30b7eadd1965e4865c218b939eacc7
SHA1 1ae50b6a4f639d222b58b484a4ccdc7286ba8fc7
SHA256 1f547dba047c78f27adc0b75a0cc23a212cad9fdf1c0ec2040b067fb6ad2c298
SHA512 701e5a6d03cead9ccafe731ae4af3272384d65a56c7786abb29718f69873b9fcb35184762b344c5f5f7e9bf107c739f6f15e8ca91fc7749e24424872ba6fe75f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2232-1116-0x0000000000B30000-0x0000000000B4C000-memory.dmp

memory/2232-1117-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1118-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1120-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1122-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1124-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1126-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1128-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1130-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1132-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1134-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1136-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1138-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/2232-1140-0x0000000000B30000-0x0000000000B45000-memory.dmp

memory/1152-1142-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1152-1144-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1152-1146-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2396-1148-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/2688-1154-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1888-1164-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1980-1174-0x000000013F2A0000-0x000000013F841000-memory.dmp

memory/2232-1175-0x0000000005060000-0x00000000050A0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2213078f864d88a313c63ca5bda2d6fb
SHA1 ceaf3ccdeff2ebaab22a6fbdb715b220650b7011
SHA256 81ede30413a0f7f9cb82c63989e28a7705903aa651b6c17269500d274f11323f
SHA512 09e214bc7332a6a0f82673ea53ad96bbc3f62b35f644e207432e860e328ad93d6f110e588de15f85a8c8f5abbead7850f70c0fcf54b556beb13d5fbd31a4ccfd

memory/1888-1176-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1968-1212-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/2232-1224-0x0000000000950000-0x0000000000951000-memory.dmp

memory/3004-1225-0x00000000021A0000-0x00000000021E0000-memory.dmp

memory/2232-1234-0x0000000000B50000-0x0000000000B51000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ca71e49b53e68b4f61a5d9527f29814
SHA1 c2614f12c7318ead330d7ccb25af86a392c59526
SHA256 cfb10b65ce8b89e208aaa2af6cf8583c99611a192ad664e33be10c4ceaafbb9b
SHA512 e50758d7e159f90c794697ace60095627f0370d8e003af52c2b0bb145cd87dd43800a6f6af34d53db39259ad04c08201521eff9bba46c99684f85ab0749e07af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e9bd957d7fda637abda6d53797737dd
SHA1 1ff5695d091f7da0c4ce48960735d808900c3b70
SHA256 ef9ec871e1c63e408f4f0f7a50e3e16e8a42c07c9b144d436562cb8d6e51798f
SHA512 6c942743c73f7aad6b953e14ad59ae7a6dbfc712fd3e0cd14e9cefb45535a8b07a93cd157f9767c95611fcd4acaa62be09fa982bed9b42de06a15ac13c7cceac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e9bd957d7fda637abda6d53797737dd
SHA1 1ff5695d091f7da0c4ce48960735d808900c3b70
SHA256 ef9ec871e1c63e408f4f0f7a50e3e16e8a42c07c9b144d436562cb8d6e51798f
SHA512 6c942743c73f7aad6b953e14ad59ae7a6dbfc712fd3e0cd14e9cefb45535a8b07a93cd157f9767c95611fcd4acaa62be09fa982bed9b42de06a15ac13c7cceac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be87508ad0dfad5755044da298cadf09
SHA1 a96c285748df7c8609097c246f1f8a53679447bd
SHA256 2cf2d96af5c7100056595393c1e74be6dab939b8071ad58665e69ea8a10d6bd5
SHA512 18932fe7d7a109ed763dd233669d933961a453d8b1e19181c44be745910e68d8ec589a694b772acd773e99b57d04e9bf6ad2b40bbe043838d0f4236d892b8335

memory/1152-1340-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b6b1490bc5ffa5a9e9394a890b1eca0
SHA1 a11eac595cabde6e8b3f79dc8a750d65c5f08a1b
SHA256 6fb5272f0aee318147badd762b9a9d0f6b56943021b1f42cc7af166d75e93a4f
SHA512 e48dde47ed3a42b24699c387e888018a2ae90482504c82dfd010ab32e2194eaf089bfbba7075843577af6f144c398cc30da09b161323e3321b11ff1d33998c50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ea98d3b46731f6aafa5b60a4a78782c
SHA1 4071b0a852c595e74279340cb7316987e8320324
SHA256 db6f29d3d6a9819d531f00fc6c4887b9220eceeed82440c03a82aa2403bcb8ca
SHA512 eff517857dd52f9c8dd680c8400dc2d68b23eef3ca7bfd0932d426e797b779b04c1fd683fd2c500ca73199c1a6831190a3c20a6c31d264c3737f22a4efe0d5cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 152299551235db830bc6cb37e8170808
SHA1 f41f2b687f28adecdab1da2e04f3fd10aedc4fe9
SHA256 f93f7c06e08b628670a46966286adb9bdec5f6c4aeb2df0b2649ec47374dbfc0
SHA512 77b961490551b9c6f3c931f0068f2c176a7cef8b0b0038256c9b81ebb08e96e7fb7fd24572738e35eff7430d55a6de087f97b5e3a0c125779a3ad118c11bd0e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8c489f25805dafbaeea679fd12a8415
SHA1 d22e9cf024e06e7a329c7d40ede7dcbc976ce148
SHA256 559b5e9af0985899de961b37bf008fe11e2fcc756e813c99d0a950a589100e4c
SHA512 8d28becb3d742f7b99224baa433e953158d0b0ef65f31829dd77ce6f0327e6bc80bdd2a239f73cb521a5602a6d180a4cdd7da2add589638e9b9b036122c915a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fb58623393adbe819c09f43255d538a
SHA1 5fe05dc3aef64b3cff415698ccf81d76df77d5cb
SHA256 728173e91207d2567fa464b775b9ee88bb5936c6903586d7fa7607ee2b7fdb8f
SHA512 606116d1ca698df5c633bdc7cee6cdf2f2a98259c9a6979e5948eae097526b90251981591add98ba5aead3826fc86d35c11c38f8198a05e9d80cede9ee87a64a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fb58623393adbe819c09f43255d538a
SHA1 5fe05dc3aef64b3cff415698ccf81d76df77d5cb
SHA256 728173e91207d2567fa464b775b9ee88bb5936c6903586d7fa7607ee2b7fdb8f
SHA512 606116d1ca698df5c633bdc7cee6cdf2f2a98259c9a6979e5948eae097526b90251981591add98ba5aead3826fc86d35c11c38f8198a05e9d80cede9ee87a64a

memory/2232-1636-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1968-1637-0x000000001B220000-0x000000001B502000-memory.dmp

memory/1968-1638-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/3004-1639-0x0000000070D30000-0x000000007141E000-memory.dmp

memory/1888-1641-0x0000000004370000-0x0000000004C5B000-memory.dmp

memory/1968-1642-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1888-1643-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1968-1645-0x00000000025F4000-0x00000000025F7000-memory.dmp

memory/1968-1646-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/1968-1647-0x000007FEF5800000-0x000007FEF619D000-memory.dmp

memory/1152-1648-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2624-1650-0x0000000003F20000-0x0000000004318000-memory.dmp

memory/2624-1651-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40UEGXEB1BBI6WBE0MUB.temp

MD5 156f2f3364ac0ccfa54f894bf8ca7908
SHA1 2ed5e79d9c26a82207e8ce2fd9eb2e42da36b290
SHA256 d92040665b39a4ea27f15954d036dc761e09adcd8d0e1e9569cab6ffd0340f58
SHA512 3393271a8a1e5e5c7ccf226efef16b97ecc51c6ec6e1a16124bf6a2b5e5dd7b1d1d8f6d0234ff7b3f39106ee70f5b42698e129c7a2e8a275ed292bb32094d9e6

memory/2688-1658-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2120-1659-0x000000001B130000-0x000000001B412000-memory.dmp

memory/2120-1660-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2120-1661-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/2120-1674-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2120-1675-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/2120-1676-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2120-1677-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2120-1678-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2624-1679-0x0000000003F20000-0x0000000004318000-memory.dmp

memory/2624-1680-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2120-1681-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp

memory/1152-1685-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2624-1693-0x0000000000400000-0x000000000266D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:22

Reported

2023-10-10 20:31

Platform

win10v2004-20230915-en

Max time kernel

162s

Max time network

168s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4BB0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\26E.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10AA.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FF6E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\144.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26E.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ez052Se.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BB0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9C62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A5CA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wrdchdv N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9378.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9378.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F51.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\FF6E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F51.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9C62.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 3196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FF6E.exe
PID 2660 wrote to memory of 3196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FF6E.exe
PID 2660 wrote to memory of 3196 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FF6E.exe
PID 3196 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\FF6E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 3196 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\FF6E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 3196 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\FF6E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe
PID 2660 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\144.exe
PID 2660 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\144.exe
PID 2660 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\144.exe
PID 3720 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 3720 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 3720 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe
PID 3756 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3756 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3756 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe
PID 3764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 3764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 3764 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2784 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 2600 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\26E.bat
PID 2660 wrote to memory of 2600 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\26E.bat
PID 2660 wrote to memory of 2600 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\26E.bat
PID 4904 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 4904 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 4904 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe
PID 2660 wrote to memory of 3312 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E94.exe
PID 2660 wrote to memory of 3312 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E94.exe
PID 2660 wrote to memory of 3312 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E94.exe
PID 2600 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\26E.bat C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\26E.bat C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 4508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F51.exe
PID 2660 wrote to memory of 4508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F51.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5020 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2660 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10AA.exe
PID 2660 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10AA.exe
PID 2660 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10AA.exe
PID 3312 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\E94.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe

"C:\Users\Admin\AppData\Local\Temp\52df3951cce7d53db656510ab7c8195966ff062d31c4f80d095cee3a97fa3e20.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 236

C:\Users\Admin\AppData\Local\Temp\FF6E.exe

C:\Users\Admin\AppData\Local\Temp\FF6E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

C:\Users\Admin\AppData\Local\Temp\144.exe

C:\Users\Admin\AppData\Local\Temp\144.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2784 -ip 2784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 388

C:\Users\Admin\AppData\Local\Temp\26E.bat

"C:\Users\Admin\AppData\Local\Temp\26E.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

C:\Users\Admin\AppData\Local\Temp\E94.exe

C:\Users\Admin\AppData\Local\Temp\E94.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D0B.tmp\D0C.tmp\D0D.bat C:\Users\Admin\AppData\Local\Temp\26E.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\F51.exe

C:\Users\Admin\AppData\Local\Temp\F51.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5020 -ip 5020

C:\Users\Admin\AppData\Local\Temp\10AA.exe

C:\Users\Admin\AppData\Local\Temp\10AA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2868 -ip 2868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 388

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ez052Se.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ez052Se.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe237646f8,0x7ffe23764708,0x7ffe23764718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe237646f8,0x7ffe23764708,0x7ffe23764718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16219718135502180008,14974568644014596715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,16219718135502180008,14974568644014596715,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4BB0.exe

C:\Users\Admin\AppData\Local\Temp\4BB0.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\9378.exe

C:\Users\Admin\AppData\Local\Temp\9378.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\9C62.exe

C:\Users\Admin\AppData\Local\Temp\9C62.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\A5CA.exe

C:\Users\Admin\AppData\Local\Temp\A5CA.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 520 -ip 520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,2082446872389953277,2281917889435580021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\wrdchdv

C:\Users\Admin\AppData\Roaming\wrdchdv

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp

Files

memory/1640-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1640-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2660-2-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/1640-4-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF6E.exe

MD5 521b301f03de5c5a4ff888ca5c18959e
SHA1 2cd040fdf4dbb80e180a9935dbb7f8908b1f522d
SHA256 c2216e3af5c696540b9ed3fd41f0bb87ae9c39615bcee3fb64157770865d8e2f
SHA512 464277c111bb8fb998946206ba24c0120583d21bd2c3324b3babbe4e22b5d075ce4d4d618680af4ec5633d151b2d4e7791099f9fe5e8772f496aedf48e8066e3

C:\Users\Admin\AppData\Local\Temp\FF6E.exe

MD5 521b301f03de5c5a4ff888ca5c18959e
SHA1 2cd040fdf4dbb80e180a9935dbb7f8908b1f522d
SHA256 c2216e3af5c696540b9ed3fd41f0bb87ae9c39615bcee3fb64157770865d8e2f
SHA512 464277c111bb8fb998946206ba24c0120583d21bd2c3324b3babbe4e22b5d075ce4d4d618680af4ec5633d151b2d4e7791099f9fe5e8772f496aedf48e8066e3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xq9YG2dp.exe

MD5 a54fad388920b74d6533f4594d3a4c2a
SHA1 df29634966f49ff4e0bbdc72447196c539f449e3
SHA256 91a18bf7a840de25fda37e78fd096b0983ca18ab4a3150aedfa54c79ac7b74fa
SHA512 cd05a64e986cb7f6c937853c816e03a9c771c698b04f2f43add724951fd8026c7f544f32bc43e6931b222eaaf2402e5a6f723adbdc33b9c4ef351e78db7c7793

C:\Users\Admin\AppData\Local\Temp\144.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IP9BC1Gb.exe

MD5 4f79a92a79b9de2ccd539a895a27486c
SHA1 b618921cc6b63dba28662190f8fa2b3ca938bcd9
SHA256 d1f3442d30b534d9256d8c33481e659c3b9cd199222c1869c3ea991875cd35e0
SHA512 ec29124df83f7e338d213ebcef68bcb9dcf7e1e7ff23881c88d1aaa101ed59282ff53a494241a3a01c90933a8bc9eb4f7b0da8fdd701c57d3c13eb7617ff41ca

C:\Users\Admin\AppData\Local\Temp\144.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zE3Tf8RH.exe

MD5 0298257cd8a0b8b794370bac343a2112
SHA1 ef4bdd3a890c35d404fb860b0d303239ea4bba09
SHA256 88b74d8884f09632e668bea54668a44beb33e28e6d34636e7b8888fffc0f0f16
SHA512 0e045ee6a7e7d290b8221efe28bc9f434f92c9864ac5b0d8409e3e0e9a9ff702daaab9dfce9032eafabb680aa76a7ffe684f5bb93612c71f8ad1ec006d4b0afd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mp9Xq8rT.exe

MD5 173dc3cff75ec08feb0478687311af2d
SHA1 eeb609796fd446db75aaea88ac3971e2c2f8b67f
SHA256 c9abb67366056771c92084c40968cc05221a236f2102b82b2350895dea38b4c8
SHA512 4fd6f6a46563478222cc9c1806962d5b6eb09e3717c41b299495880aaa3c02c72bb7a3a12230ad60daa3d5840451398e7ac99c59a990d2f67efb8b43271c7ea5

memory/4404-49-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-50-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-51-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4404-52-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26E.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\26E.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1wv16gF7.exe

MD5 1e98b2aab70cf73329270535ca121019
SHA1 62ea94364eacec8dc7ab88e2eccd05766eb40736
SHA256 c683d5f65e3e538a15597be57d6cddf313e436c7eaa8be1053f4d5121dd3d8cd
SHA512 685b6a707788462b1b61b754b76af05777892b62d8a7a1cee49148b60f739232483db13d4c1e0c0c50237ab07e47a7276dbb9e0552d06dea9c9960c6e37f400e

C:\Users\Admin\AppData\Local\Temp\26E.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\E94.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\E94.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

memory/4508-70-0x0000000000E20000-0x0000000000E2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F51.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F51.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4404-71-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2868-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2868-78-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10AA.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2868-83-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10AA.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4508-81-0x00007FFE219E0000-0x00007FFE224A1000-memory.dmp

memory/3036-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3036-85-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/3036-86-0x00000000078D0000-0x0000000007E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3036-87-0x00000000073C0000-0x0000000007452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ez052Se.exe

MD5 8cfa44a7ba3a2727129dece4f58a9c85
SHA1 b2c4e1e620341c355f98797bde0cdd20b84ea08d
SHA256 b8d884a320428ea03562aac10629eef5ee9839089a58130f21ac29f131dca4d9
SHA512 741322c4ecc2be64a167b74bdd59ebcb7500d5d145c6271b3cd4df49d23d124b6c93479e1157b4a6b28457437d64cff461c4c6d8d92cfdf892722118984ad1ea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ez052Se.exe

MD5 8cfa44a7ba3a2727129dece4f58a9c85
SHA1 b2c4e1e620341c355f98797bde0cdd20b84ea08d
SHA256 b8d884a320428ea03562aac10629eef5ee9839089a58130f21ac29f131dca4d9
SHA512 741322c4ecc2be64a167b74bdd59ebcb7500d5d145c6271b3cd4df49d23d124b6c93479e1157b4a6b28457437d64cff461c4c6d8d92cfdf892722118984ad1ea

memory/2316-100-0x0000000000040000-0x000000000007E000-memory.dmp

memory/3036-99-0x0000000007470000-0x000000000747A000-memory.dmp

memory/2316-101-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/3036-96-0x00000000074F0000-0x0000000007500000-memory.dmp

memory/2316-102-0x0000000004880000-0x0000000004890000-memory.dmp

memory/3036-103-0x00000000084A0000-0x0000000008AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0B.tmp\D0C.tmp\D0D.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/3036-105-0x00000000077A0000-0x00000000078AA000-memory.dmp

memory/2316-107-0x0000000007100000-0x000000000713C000-memory.dmp

memory/2316-106-0x00000000070A0000-0x00000000070B2000-memory.dmp

memory/3036-108-0x0000000007710000-0x000000000775C000-memory.dmp

memory/4508-109-0x00007FFE219E0000-0x00007FFE224A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_4328_ERPTWKSVNLFJZHEZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3036-135-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_5036_GHMDWORUFTPCOAMV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3036-143-0x00000000074F0000-0x0000000007500000-memory.dmp

memory/4508-144-0x00007FFE219E0000-0x00007FFE224A1000-memory.dmp

memory/2316-149-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 52c1a2fed5fb4c8ab0eebc63380fdf93
SHA1 332962315eaee8967a7d6acab328c6182f7ef785
SHA256 8f5064da857b88cf48c41275987f13bae8adda32d516a2bd7e72c9dea0b9b61a
SHA512 f586e41cb4747a793a567dff1f1214eb8bfb92c9a0f1b807c1458c2ae4f56bcd1d15c842581feeeeb74d945cbe487b4b3ce0eb3492770a29640de297e0d12919

memory/2316-155-0x0000000004880000-0x0000000004890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6fb06efbafb59614b6bcd10b301270ed
SHA1 1b230b65a146b140b5f76c219fc9f626aa170800
SHA256 3936284d51174bd6951491260851e757867f08a91a67be775ee728762960fd99
SHA512 3ee0414b18d91550a677aa3bec0c9226f69fe38707924f4cbd67317806e92b3219481b8c83a776e6178c91be2f4d23059cc298d3f70a2c69df5572780dfff1cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 15913dcf3be729e3db40d03819d4ef26
SHA1 3e8826e91c31f8685e6b67e87e391347d797df85
SHA256 76ee70ec480144cb4c91f5429483ee4cd75f7a8b58f191c23a3bf418d71b56b3
SHA512 767c528563646d1c3f136acc46b7cd9d251ba49c75c7777d3c8188b6205c01c61e8d4221f611cae35fbc8f6d01fd545854f16f2aa1a469b707b2f12692c8d211

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 52c1a2fed5fb4c8ab0eebc63380fdf93
SHA1 332962315eaee8967a7d6acab328c6182f7ef785
SHA256 8f5064da857b88cf48c41275987f13bae8adda32d516a2bd7e72c9dea0b9b61a
SHA512 f586e41cb4747a793a567dff1f1214eb8bfb92c9a0f1b807c1458c2ae4f56bcd1d15c842581feeeeb74d945cbe487b4b3ce0eb3492770a29640de297e0d12919

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 174d06cc4273847d87780ca92dd6932d
SHA1 86211113f3bfeb309d5ca1a525be5569e92b5d5e
SHA256 3dbcb62c508994735d4089c09652249daf206c36417a39ce9cf94cb4bc535663
SHA512 a0e15eba5a82e72b5a2a0d1468e784dd1e6a522f069f997b54fd41a7d7bf1002f9e2e4e307572ef99336047e9d4f26af035945d1de2036da1951bece6f1e45b1

C:\Users\Admin\AppData\Local\Temp\4BB0.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\4BB0.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4976-223-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/4976-229-0x0000000000E00000-0x0000000001D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/2392-304-0x00000000024F0000-0x00000000024F9000-memory.dmp

memory/2392-303-0x00000000025B0000-0x00000000026B0000-memory.dmp

memory/3920-305-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/3920-311-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9378.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\9378.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4976-315-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/520-316-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C62.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/520-327-0x00000000020A0000-0x00000000020FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/520-345-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C62.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/4500-351-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9378.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\9378.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4500-348-0x00000000007D0000-0x0000000000CE6000-memory.dmp

memory/3532-353-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3532-354-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/3532-359-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/3920-364-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2660-363-0x00000000028C0000-0x00000000028D6000-memory.dmp

memory/4688-367-0x00000000043B0000-0x00000000047B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\A5CA.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4688-377-0x00000000047C0000-0x00000000050AB000-memory.dmp

memory/4976-378-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5CA.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2972-380-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/4500-383-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/2972-382-0x0000000000C20000-0x0000000000C3E000-memory.dmp

memory/520-384-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/520-385-0x0000000000400000-0x000000000046F000-memory.dmp

memory/4688-392-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8fee95820f778375290279d8e6e2c13b
SHA1 0a0904653e463f2da3b0d63975f7891618f2b0eb
SHA256 be3086129dd5c20bbd39bccba466e6817d2ff100a331bca83ab574ed52822346
SHA512 3142acdde1292df95ee64d45fa2e1e69cecb4e2293034c3ae5fea9131d2e779978f40abbedfd6cdee2ecb1aee80286df9ebe733bc7c77d895cb08d0fce1d6fba

memory/4688-407-0x0000000000400000-0x000000000266D000-memory.dmp

memory/4500-408-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/3532-409-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4500-410-0x0000000005590000-0x0000000005591000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c7510ba0202b09cf1c218755d3a1e284
SHA1 8e8cab50340b67fd379db38a088f527a82784707
SHA256 495d34bcaa92671b7d039f830aa350fc6ec09b23075efd470ef1899f73a4bfc3
SHA512 32e2b3dbf12f86aeca4630a6625dd3ae8f1e8b88d8781ea47c617627ff11d50f0cdd9619d6c5d9b7413c96a4919cf343185889cae29954ca159975a68a997bd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c6c6.TMP

MD5 9788c63309378eb0cc70c6c020846647
SHA1 aebfa2fe812944675938031be6a44b37b7686e36
SHA256 f2d6b5fe2ab42c701f988284fcac74c7696b500956420b7c221348212051e72e
SHA512 3ffd0aa131170518049122d6b997e226bfa8f89160371ddc53d7226c0b5b587f7fade26dc69ef6b52114d8e06434ccca4b1c24e1afa74e79e4cbcf9b646d2f02

memory/2972-411-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4500-421-0x0000000005840000-0x00000000058DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3532-427-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 48c98b077df132be736d0cc49d5e720e
SHA1 4769c73d1fc6a3c3e44d529f850648cdcb781ce2
SHA256 7a3b99dd600ce8105b5bc1c635d7724ae4bf4d0214de79b797d6310f11b24d09
SHA512 b6214a395616fd7cbd1eb81fb17eb2aab66b2564023b75d03267034c0630850c298f7aeb4367100cba4d0f9b6c6fa628d46354dfc6f521e46aa47f722c007100

memory/1924-437-0x00007FF7B8BB0000-0x00007FF7B9151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Roaming\wrdchdv

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

memory/4688-449-0x00000000043B0000-0x00000000047B2000-memory.dmp

memory/4688-450-0x00000000047C0000-0x00000000050AB000-memory.dmp

memory/3532-454-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/4688-453-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3532-455-0x0000000006060000-0x000000000658C000-memory.dmp

memory/2972-456-0x0000000072110000-0x00000000728C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b4cfabca23c22f1c8aa4c7cb38c8f7cb
SHA1 8eecffb755cfb36a562b90813149df922187b0a9
SHA256 73aca4a3e3bf660a32e9b2aa34dadb5b1a84b811534606a21f1e227ae615fc36
SHA512 33f472b580faac17f948320d26d7265d0ccb918635bb1e482adb69ce99352c74d6933d4619ddf20658278d82c928ba740495fedc8e815fd918eb14474ad1b02f

memory/4500-466-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/4688-467-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/3532-473-0x0000000006640000-0x00000000066A6000-memory.dmp

memory/4500-475-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-474-0x00000000059D0000-0x00000000059EC000-memory.dmp

memory/3532-477-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4500-476-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-487-0x00000000059D0000-0x00000000059E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4500-479-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-489-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-491-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-493-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-495-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-497-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-499-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-501-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-503-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/4500-505-0x00000000059D0000-0x00000000059E5000-memory.dmp

memory/5904-506-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5904-511-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5904-507-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2972-510-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4500-512-0x0000000005A90000-0x0000000005A91000-memory.dmp

memory/4688-553-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 71de40bb047421c0bd565d0136b749fb
SHA1 53b638fe533e76979efa7ca7104c046707026b4f
SHA256 7e1f28efeacf841370901e538807dd1fadfb1120eb876669119129568904f0f9
SHA512 9fdcbf43d4044f56fda24c0d9d881b5d3861d40ceab4024125ef7e1d9863cbe8586905125944c03df4b20a512cdd9c492f833e0981a831eee0f245b9c29d7c2c

memory/1924-559-0x00007FF7B8BB0000-0x00007FF7B9151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5azig22x.iaq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmp31BC.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp31F1.tmp

MD5 90e96ddf659e556354303b0029bc28fc
SHA1 22e5d73edd9b7787df2454b13d986f881261af57
SHA256 b62f6f0e4e88773656033b8e70eb487e38c83218c231c61c836d222b1b1dca9e
SHA512 bd1b188b9749decacb485c32b7885c825b6344a92f2496b38e5eb3f86b24015c63bd1a35e82969306ab6d6bc07826442e427f4765beade558378a4404af087a9

C:\Users\Admin\AppData\Local\Temp\tmp325A.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp3270.tmp

MD5 287043ec60cc4e05757d1576a2443d31
SHA1 acba8cd395abf70dbe1721d75bc5af0250e73076
SHA256 74faa4c08f728e6cadc96e483aa6b17d8c7192625de408de74d930059f245ed5
SHA512 7be865ac1dcd672d2c98f58cff1dc3f47dc6b621bdf2a34513d2cc81143cb862a6d77dd20081515ae3ce461232b6faccf17988aaa7c66d605f61b3ee5ed952c0

C:\Users\Admin\AppData\Local\Temp\tmp32DF.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp331A.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77