Malware Analysis Report

2025-01-23 08:18

Sample ID 231010-zd6kbshg6y
Target file
SHA256 ac8ff52cb62090f12549de17ef1c720764e8c2b564ba480da40a65ce6b7ba256
Tags
amadey dcrat healer mystic redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud backdoor discovery dropper evasion infostealer persistence rat stealer trojan glupteba up3 loader spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac8ff52cb62090f12549de17ef1c720764e8c2b564ba480da40a65ce6b7ba256

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer mystic redline sectoprat smokeloader 6012068394_99 lutyr magia pixelscloud backdoor discovery dropper evasion infostealer persistence rat stealer trojan glupteba up3 loader spyware

DcRat

SectopRAT payload

SmokeLoader

RedLine payload

Detect Mystic stealer payload

Windows security bypass

Amadey

Modifies Windows Defender Real-time Protection settings

Mystic

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine

Glupteba payload

Detects Healer an antivirus disabler dropper

Glupteba

SectopRAT

Healer

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Windows security modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:37

Reported

2023-10-10 20:58

Platform

win10v2004-20230915-en

Max time kernel

178s

Max time network

181s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4EAA.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5535.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4198.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4EAA.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\51E7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5535.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9657920.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2kf426Vj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9701.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\461F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8934.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4198.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\52B3.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 4792 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 4792 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2540 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2540 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2540 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3192 wrote to memory of 1332 N/A N/A C:\Users\Admin\AppData\Local\Temp\4198.exe
PID 3192 wrote to memory of 1332 N/A N/A C:\Users\Admin\AppData\Local\Temp\4198.exe
PID 3192 wrote to memory of 1332 N/A N/A C:\Users\Admin\AppData\Local\Temp\4198.exe
PID 1332 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\4198.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1332 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\4198.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1332 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\4198.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2540 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe
PID 2540 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe
PID 2540 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe
PID 3192 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe
PID 3192 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe
PID 3192 wrote to memory of 1528 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe
PID 4648 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 4648 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 4648 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1140 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 1140 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 1140 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 3356 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe
PID 3356 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe
PID 3356 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe
PID 3192 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EAA.bat
PID 3192 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EAA.bat
PID 3192 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EAA.bat
PID 4612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe
PID 4612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe
PID 4612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\4D70.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3768 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3192 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\Temp\51E7.exe
PID 3192 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\Temp\51E7.exe
PID 3192 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\Temp\51E7.exe
PID 3192 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\Temp\52B3.exe
PID 3192 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\Temp\52B3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 140

C:\Users\Admin\AppData\Local\Temp\4198.exe

C:\Users\Admin\AppData\Local\Temp\4198.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\4D70.exe

C:\Users\Admin\AppData\Local\Temp\4D70.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\4EAA.bat

"C:\Users\Admin\AppData\Local\Temp\4EAA.bat"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1528 -ip 1528

C:\Users\Admin\AppData\Local\Temp\51E7.exe

C:\Users\Admin\AppData\Local\Temp\51E7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3768 -ip 3768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4876 -ip 4876

C:\Users\Admin\AppData\Local\Temp\52B3.exe

C:\Users\Admin\AppData\Local\Temp\52B3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\500F.tmp\5010.tmp\5011.bat C:\Users\Admin\AppData\Local\Temp\4EAA.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2152 -ip 2152

C:\Users\Admin\AppData\Local\Temp\5535.exe

C:\Users\Admin\AppData\Local\Temp\5535.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb8f1746f8,0x7ffb8f174708,0x7ffb8f174718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9657920.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9657920.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb8f1746f8,0x7ffb8f174708,0x7ffb8f174718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2444 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2kf426Vj.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2kf426Vj.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,18327649434232198319,11222931176611056344,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\9701.exe

C:\Users\Admin\AppData\Local\Temp\9701.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\8C7.exe

C:\Users\Admin\AppData\Local\Temp\8C7.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2360,10884988791718903600,15767871216045371302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\461F.exe

C:\Users\Admin\AppData\Local\Temp\461F.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\8934.exe

C:\Users\Admin\AppData\Local\Temp\8934.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

memory/4868-14-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4868-15-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3192-16-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/4868-17-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4198.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\4198.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe

MD5 606d0dc39fac1070d0df38287222cf88
SHA1 d9ed2711ac5b9ae6a1685ecc6d0d2f1fee53424f
SHA256 511a8f3fd066d91c00d3eb14d2d9e07309eb8bc03d77b4bbefe116c66ccad489
SHA512 862c67d27d6f414512c54da8a0de194289f727c76640bcf4209af4a7b67291162c7edb0492bd37aebf4ce8f7a09391c39f0c5fa42f801b40e8fb9dfb3b18b68b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2474707.exe

MD5 606d0dc39fac1070d0df38287222cf88
SHA1 d9ed2711ac5b9ae6a1685ecc6d0d2f1fee53424f
SHA256 511a8f3fd066d91c00d3eb14d2d9e07309eb8bc03d77b4bbefe116c66ccad489
SHA512 862c67d27d6f414512c54da8a0de194289f727c76640bcf4209af4a7b67291162c7edb0492bd37aebf4ce8f7a09391c39f0c5fa42f801b40e8fb9dfb3b18b68b

C:\Users\Admin\AppData\Local\Temp\4D70.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\4D70.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\4EAA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4EAA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\4EAA.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

memory/1304-76-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1304-77-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1304-79-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4876-84-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4876-85-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\51E7.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\51E7.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

memory/4876-78-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1304-75-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4876-88-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52B3.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\52B3.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4160-92-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/3644-95-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4160-94-0x00007FFB91410000-0x00007FFB91ED1000-memory.dmp

memory/3644-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3644-99-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4560-100-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5535.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\5535.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\500F.tmp\5010.tmp\5011.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/1304-107-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1304-108-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4560-116-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9657920.exe

MD5 b023422dfbe03632bfe47246fff86a03
SHA1 7edfdebca094e7dd40608ee2223adfa1f2d767de
SHA256 1c9ab6f6baf8af222862809695e81d3480fd36f9c362406bcc6dc1c16e1cf406
SHA512 7ad15deda24dafdf1f5678b4756edc27909124d3a9eb900cdb8c60c28765ca24e28dbcdc771df11e16df7db60cc701497352a108af8778be48a49375dac3d932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9657920.exe

MD5 b023422dfbe03632bfe47246fff86a03
SHA1 7edfdebca094e7dd40608ee2223adfa1f2d767de
SHA256 1c9ab6f6baf8af222862809695e81d3480fd36f9c362406bcc6dc1c16e1cf406
SHA512 7ad15deda24dafdf1f5678b4756edc27909124d3a9eb900cdb8c60c28765ca24e28dbcdc771df11e16df7db60cc701497352a108af8778be48a49375dac3d932

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

memory/4160-125-0x00007FFB91410000-0x00007FFB91ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_504_FWGVXAAMSLMOWWKO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2kf426Vj.exe

MD5 bb6d1132944801ee447678e1bb873f4b
SHA1 3ff8e24650ede043374080ee3bb68e5b029e3165
SHA256 c0cdbb93974bd70eaf1247f5f4e5c0e94238059da36d3b6c411f7abf3303c0c7
SHA512 aabe46394d217965b0564134505a37f1e908a1ad9f01d31dd0d144eb4d929017725fde184580b3492b3a0e5888f9ddbfa7d3c474305b6862ba7c3fe4bb486cbb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/4560-157-0x0000000072390000-0x0000000072B40000-memory.dmp

memory/4852-160-0x0000000072390000-0x0000000072B40000-memory.dmp

memory/4852-159-0x0000000000300000-0x000000000033E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9701.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\9701.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4636-167-0x0000000072390000-0x0000000072B40000-memory.dmp

memory/4636-168-0x00000000003C0000-0x00000000012EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 798f28e3ed5369d315613f79998ab5ae
SHA1 73bb0c6326225034673f0a538186c89ef2d30725
SHA256 e941dd3c8194c98b27d5fdbead7915eb4940b50fc35cdfcf09b647847ad04dd8
SHA512 c192c1a7e02206e7517e86f314e8f51ccf3afadafaf6b6baf9e2f231934d2e55941876e369140afe2df985f9c8047c40383616a09d66393fff1819230de1c638

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 689c243b8891a2428afb390258372f58
SHA1 c61d3e9dc5ae9be7e7e8fffeaee35579438d1694
SHA256 231eb260c5c84d630ff03245fdab37b3163a990ff0001ef9f4e55828e9a0d384
SHA512 10150a35ca20be79c555bf7d653e9db1aa81a83d55352df4f44b80c5c15f356ab0c21ef1d1db4e8e93d3455065568bcdfab5d0e0c81e029c88471a9ce3fb01ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 689c243b8891a2428afb390258372f58
SHA1 c61d3e9dc5ae9be7e7e8fffeaee35579438d1694
SHA256 231eb260c5c84d630ff03245fdab37b3163a990ff0001ef9f4e55828e9a0d384
SHA512 10150a35ca20be79c555bf7d653e9db1aa81a83d55352df4f44b80c5c15f356ab0c21ef1d1db4e8e93d3455065568bcdfab5d0e0c81e029c88471a9ce3fb01ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a15e7461f5417d1109453e9bbb24199f
SHA1 5802cb7440660005f3ab7b1e93ed358979698fea
SHA256 4850fae9245095516d9b71a96c6d2343bf1ddfa8de8176b72b8ee1ad988d570c
SHA512 23d6d0ee3c515052925c56ec6a2084909a093124fd01fc876aad9f704256a1dbee15f4751d49d74fd59ac3304133f743ccca059d5f729eeeebf15393d0954f3e

memory/4852-189-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a15e7461f5417d1109453e9bbb24199f
SHA1 5802cb7440660005f3ab7b1e93ed358979698fea
SHA256 4850fae9245095516d9b71a96c6d2343bf1ddfa8de8176b72b8ee1ad988d570c
SHA512 23d6d0ee3c515052925c56ec6a2084909a093124fd01fc876aad9f704256a1dbee15f4751d49d74fd59ac3304133f743ccca059d5f729eeeebf15393d0954f3e

C:\Users\Admin\AppData\Local\Temp\8C7.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/4636-212-0x0000000072390000-0x0000000072B40000-memory.dmp

memory/4852-217-0x0000000007560000-0x0000000007B04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8C7.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5340-221-0x0000000000400000-0x000000000046F000-memory.dmp

memory/5340-222-0x0000000000730000-0x000000000078A000-memory.dmp

memory/5340-226-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 689c243b8891a2428afb390258372f58
SHA1 c61d3e9dc5ae9be7e7e8fffeaee35579438d1694
SHA256 231eb260c5c84d630ff03245fdab37b3163a990ff0001ef9f4e55828e9a0d384
SHA512 10150a35ca20be79c555bf7d653e9db1aa81a83d55352df4f44b80c5c15f356ab0c21ef1d1db4e8e93d3455065568bcdfab5d0e0c81e029c88471a9ce3fb01ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1c76917a20485e3de014f888f86ea45a
SHA1 734c09cb4640c3f93807694002d9a885384203e3
SHA256 3e2837099fdab30e1a2748d015dda1f052605dd4977e8873d7f6e00c39adf30b
SHA512 7bff4edcbfd7aa2739bf43eabb30c56bf32d57930c1b2b434c3c09861e80b6bb8e2bcad4c3bda9adfa29dbccc395fbcd62bf4d3b0224f8d950594025e7132d10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 96ccdad6c7e3241e16b2480f353491c4
SHA1 a5c672b84ba36d68969806697cdf3bde7e6e403e
SHA256 5ebcf1b3474f896555626c945b40a9f8b04ab05ab7d9b9f95c06625053b3c962
SHA512 a952881dfd1742a86ba9fa073a1c703c555c626c4e73e6c15d05c98f6cda49c37b1365459083b17b1282c6c076ec6d51fb11571d1da7c2bff37a2d369accb6aa

C:\Users\Admin\AppData\Local\Temp\461F.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/5340-246-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5340-253-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\461F.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/5852-268-0x0000000000400000-0x0000000000431000-memory.dmp

memory/5852-267-0x00000000001D0000-0x00000000001EE000-memory.dmp

memory/5852-272-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1a475063571807438d2473877748a5a7
SHA1 7042aa5a1fe6858501e6b45e835700d70d0e7924
SHA256 a95544e3abc9bca5c0442fc32b92ea97e51fde2566e130a7427ba2fb15b9327e
SHA512 b8b757e16b504ea2e5dc56a37543b72fda50eb1013b62bb931220db7e3bb6c687d8dce72c8b74cd4cc2be536e66f2da23c7513db4477b21f7360cafd6bc0fc66

C:\Users\Admin\AppData\Local\Temp\8934.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\8934.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/4228-294-0x0000000000D80000-0x0000000000D9E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4228-303-0x0000000072390000-0x0000000072B40000-memory.dmp

memory/5852-304-0x0000000072390000-0x0000000072B40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a233dda526f290549c1b56a21eb59299
SHA1 8dd50aa6b4edc9f00dce92120354713654f0ddd0
SHA256 05aec92f54318c2b5c6919b6673018610ceb402360fec86721a93438ef98386e
SHA512 e793d94bda90d6fcfd662d1459df7802e999f5ea90b150eea7c10b11c953080dcf27b64a6fc628f988cd5d9a46435c8a0820c2228f4b80693d41fe57ef805738

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4852-329-0x00000000021F0000-0x0000000002282000-memory.dmp

memory/4228-330-0x0000000005D30000-0x0000000006348000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:37

Reported

2023-10-10 20:58

Platform

win7-20230831-en

Max time kernel

169s

Max time network

181s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\5861.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4E7F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5295.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54F6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\598A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BFFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F179.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\598A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84B0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4D74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010205704.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5861.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F179.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2028 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 2024 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 3068 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2632 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D74.exe
PID 1192 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E7F.exe
PID 1192 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E7F.exe
PID 1192 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E7F.exe
PID 1192 wrote to memory of 2564 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E7F.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\4D74.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 1724 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2724 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe
PID 2564 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\4E7F.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 36

C:\Users\Admin\AppData\Local\Temp\4D74.exe

C:\Users\Admin\AppData\Local\Temp\4D74.exe

C:\Users\Admin\AppData\Local\Temp\4E7F.exe

C:\Users\Admin\AppData\Local\Temp\4E7F.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

C:\Users\Admin\AppData\Local\Temp\5295.bat

"C:\Users\Admin\AppData\Local\Temp\5295.bat"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\532F.tmp\5330.tmp\5340.bat C:\Users\Admin\AppData\Local\Temp\5295.bat"

C:\Users\Admin\AppData\Local\Temp\54F6.exe

C:\Users\Admin\AppData\Local\Temp\54F6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 132

C:\Users\Admin\AppData\Local\Temp\5861.exe

C:\Users\Admin\AppData\Local\Temp\5861.exe

C:\Users\Admin\AppData\Local\Temp\598A.exe

C:\Users\Admin\AppData\Local\Temp\598A.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\84B0.exe

C:\Users\Admin\AppData\Local\Temp\84B0.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A5BA066D-1D1E-4B6E-BE8C-3B3DA8443B83} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010205704.log C:\Windows\Logs\CBS\CbsPersist_20231010205704.cab

C:\Users\Admin\AppData\Local\Temp\BFFC.exe

C:\Users\Admin\AppData\Local\Temp\BFFC.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 528

C:\Users\Admin\AppData\Local\Temp\D3BC.exe

C:\Users\Admin\AppData\Local\Temp\D3BC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 508

C:\Users\Admin\AppData\Local\Temp\F179.exe

C:\Users\Admin\AppData\Local\Temp\F179.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {91798632-B9F0-4A00-B82E-57738024B1A9} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 e14999a6-4130-45c8-b06c-b8664498ede1.uuid.cdntokiog.studio udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6688163.exe

MD5 5208494d2e7540f630d52762bb669331
SHA1 bd88c3918a50611254cb779567176e4087f320ac
SHA256 58cbf15b2bee76cc4c8df034df7f0bd484409f1c2e92ba743702c55d46b67100
SHA512 60300c68fa37fdf639684c0d9c1305b8d4cdcd40ab15fbd98f66dcf313d1b4695397581063034dc034f0aa63005e10021e73cffeeb2975d1f32abb4f2c80b10f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

memory/2736-23-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2736-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2736-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2736-26-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2736-27-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2961194.exe

MD5 aab3cb72e45ab20793df93987f57f517
SHA1 086ffd96a2fe20fa5b9e69d6885409fb92576c9d
SHA256 eac76b2556f26ffae62cd4104dd24e629b2aca3398441f3decec751639322c8e
SHA512 721e6494b4964c8743bce9a4a4f8ec5217a86bf0c3ed07f56acea0370ef3c5eccf10592f4f01c4fcf7d88e355a84fafff8f233512047ac77a2f82bfc68989ee3

memory/1192-32-0x0000000002B50000-0x0000000002B66000-memory.dmp

memory/2736-35-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D74.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\4D74.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

\Users\Admin\AppData\Local\Temp\4D74.exe

MD5 e5b41e4d3968f7a551375467bfa61ce5
SHA1 1c586f294bb35f3ebd526d9cb8360e9f81b728e0
SHA256 b524acb6b41d1e5ce707816496e1656ee94685a90b0b03435c1286ff3ae2a94b
SHA512 aad2e0d486fb168f57fb52a8f4b54bbf57f3a006091f7dbc4fc59e99b80b896cbfe81990027ef0a8547317ca283991f2be926151f8b7f5554771ebc0d5730f13

C:\Users\Admin\AppData\Local\Temp\4E7F.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WS5OY2lM.exe

MD5 d05d23fdf50e490bc301d002d304efb5
SHA1 a873ecbd1267ede15f3d1a37cefc57f3af36f614
SHA256 61eec13eea4fd72c903991487e94abc4750ccb2d0a7eff9806bab70518bb4f2a
SHA512 0c47b2ceee392bb4f94690d9ebd45af7108ad59ea651e4f12c6526695055ea38489140a925db275b46779518ed436241b036038c8e3934b762fa78aec44bb30b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bB1Ol2hS.exe

MD5 8ae472d9f76dffe0e5e4777a25b213a6
SHA1 4600844f6eed0b0da9d07f7f45ee3801f9997e49
SHA256 c5caa04a821f39d86a46d15d4b96b0c1a2a73de3d6a92b667b830c9c1d477ce1
SHA512 e11679e9a022a49a70f5f1f38ec80113615569a3ab65c629fac27259547bddbed1af770939f1d7a2cacf3a0a43f9120b1db399495e210358d865e550e4060cd1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

\Users\Admin\AppData\Local\Temp\IXP004.TMP\em6sS5Wk.exe

MD5 e5aeb294d397bbbb43d8ba695b49632f
SHA1 7f10ef983ec655727ac26be17bd0b27b2e516de5
SHA256 424f177cb32f62417381b3f6f62006bfde6136d6fbf0e442a188b42c898ceaa2
SHA512 92f519453a7e29a438884befc0e17b3f9d997fb9ba0c6f182bc03764c0ac8dd61e07537e4bd01499747e8257289e63480681d2ab980e37fd1c36bd13c013d6b6

\Users\Admin\AppData\Local\Temp\4E7F.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\4E7F.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\4E7F.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\4E7F.exe

MD5 f1432a4597fa0744d496cbe8ebd50fd5
SHA1 99e96566aaee582913978531396110bc171101e5
SHA256 85f10bec21a78984acfed0f51a06e75b597b8a880f98e6e76af1438b3f5eef5f
SHA512 d6aed590959077a9fd5299a19ce3538cf943e8da260972d83f471b76e0a98b8570587171abc20fac7acddc44278be2248e9a79ec81435d03105b5949111ff438

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\5295.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\5295.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FY0Vk8iU.exe

MD5 081505ab58ebdecd989060fbd9330e99
SHA1 3ecf8b697aa12771c535d08728a8edf45cc05fa9
SHA256 6e828fa943119fe1836982e9a7e1a3728a0bc20fe9d33282d044acb0b2ced632
SHA512 775f782a500d67df4d5aae34e6f67d31010dc7a9d74ab36d901f4508f964c8d9f0dd9955aa8b39ae459d6e420c63628ac89efe747c6d0e17fb4ae66137131d59

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

C:\Users\Admin\AppData\Local\Temp\532F.tmp\5330.tmp\5340.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\54F6.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\IXP006.TMP\1ZO32QK3.exe

MD5 6bf588e59ed172b64884b5f3fcfca44a
SHA1 77cf14d4acd26a1806faa8391da5946f9aa59f0a
SHA256 8e52ae38fbb221d9a443f30626f1ae78ce5ed0d3d9bc99e88dacaf33624c1ac9
SHA512 94029ef036472398d086b6579d825fd54184f9441d98917280d2c6ab2f48c3c0d2d2bfaeea9434c85d9483c2c2010dc8195f10c134768b8966e6ddf5f11ea2cf

\Users\Admin\AppData\Local\Temp\54F6.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\54F6.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\54F6.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

\Users\Admin\AppData\Local\Temp\54F6.exe

MD5 6413b4ae9e37c89aaa4e17b1bd0b1070
SHA1 bbe5992bfa8cdf5268fdcf29bd4529d8628d3e69
SHA256 68f35928de6711cc7ef4c13a4b9af2975221145bcfa54feb5d28a344ff88f1b1
SHA512 766af5050207e85020c8796c265ac3472dfcdfda1a9da82d6f991766de5bcb38b20f11e1dc8faa1838713027a51145d7fbc8615385071ace9c5130c08279eceb

C:\Users\Admin\AppData\Local\Temp\5861.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\5861.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2696-140-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\598A.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2696-154-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84B0.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\84B0.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/2696-160-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

memory/868-161-0x0000000000970000-0x000000000189A000-memory.dmp

memory/2696-162-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

memory/868-164-0x0000000073320000-0x0000000073A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/1540-185-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1540-186-0x0000000000A80000-0x0000000000F96000-memory.dmp

memory/996-188-0x0000000004130000-0x0000000004528000-memory.dmp

memory/868-192-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1872-195-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1872-197-0x0000000000400000-0x0000000000409000-memory.dmp

memory/996-196-0x0000000004130000-0x0000000004528000-memory.dmp

memory/1780-194-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/996-198-0x0000000004530000-0x0000000004E1B000-memory.dmp

memory/1780-191-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/1872-190-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/996-199-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1540-200-0x0000000005370000-0x00000000053B0000-memory.dmp

memory/1540-201-0x0000000000430000-0x0000000000431000-memory.dmp

memory/1192-202-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/1872-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1540-207-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/996-208-0x0000000004130000-0x0000000004528000-memory.dmp

memory/996-209-0x0000000000400000-0x000000000266D000-memory.dmp

memory/996-210-0x0000000004530000-0x0000000004E1B000-memory.dmp

memory/2920-211-0x000000013F480000-0x000000013FA21000-memory.dmp

memory/996-213-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFFC.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/2988-219-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2988-223-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2988-224-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1540-225-0x0000000005370000-0x00000000053B0000-memory.dmp

memory/996-227-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3BC.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/2988-236-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1680-237-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1680-238-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1680-242-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/1020-246-0x00000000000D0000-0x00000000000EE000-memory.dmp

memory/1020-247-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/996-248-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1360-254-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

memory/1360-255-0x0000000002450000-0x0000000002458000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1540-267-0x00000000005A0000-0x00000000005BC000-memory.dmp

memory/1540-269-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-270-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1360-268-0x00000000026E4000-0x00000000026E7000-memory.dmp

memory/1540-272-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-274-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-276-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-278-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-280-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-282-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-284-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-286-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-288-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-290-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/1540-292-0x00000000005A0000-0x00000000005B5000-memory.dmp

memory/916-293-0x0000000000400000-0x000000000047F000-memory.dmp

memory/916-295-0x0000000000400000-0x000000000047F000-memory.dmp

memory/916-297-0x0000000000400000-0x000000000047F000-memory.dmp

memory/916-299-0x0000000000400000-0x000000000047F000-memory.dmp

memory/916-294-0x0000000000400000-0x000000000047F000-memory.dmp

memory/916-302-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1360-303-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

memory/1360-306-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

memory/1360-309-0x00000000026EB000-0x0000000002752000-memory.dmp

memory/1540-310-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/996-311-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2088-319-0x00000000024A0000-0x00000000024A8000-memory.dmp

memory/2088-318-0x000000001B150000-0x000000001B432000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\09LM92GZN68KPVNI11T1.temp

MD5 ce0e9852dee2d5d0ca9a3b71bf899d78
SHA1 07b6c8dec1babf3438aaae237200dcb56b842d7a
SHA256 a4ba4ce8123f5ac46b2ffbfa8c71133d089094241c91e7b5297bbb6d37dc6786
SHA512 9737c7c879763fcffd0495da7296245f82d2278030e9928f8c3ba39b9a34fa51a1ef43f2d6837fff80a6e26e251467544f0b686e62159acff79be9b2719003d2

memory/2088-321-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/2088-329-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1020-330-0x0000000000360000-0x00000000003A0000-memory.dmp

memory/2268-331-0x0000000003EB0000-0x00000000042A8000-memory.dmp

memory/2268-332-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2088-333-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5063.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1680-343-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/2088-344-0x0000000002720000-0x00000000027A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar51CD.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2088-363-0x000007FEF5540000-0x000007FEF5EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp55B9.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp55CE.tmp

MD5 9c3d41e4722dcc865c20255a59633821
SHA1 f3d6bb35f00f830a21d442a69bc5d30075e0c09b
SHA256 8a9827a58c3989200107213c7a8f6bc8074b6bd0db04b7f808bd123d2901972d
SHA512 55f0e7f0b42b21a0f27ef85366ccc5aa2b11efaad3fddb5de56207e8a17ee7077e7d38bde61ab53b96fae87c1843b57c3f79846ece076a5ab128a804951a3e14

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2268-466-0x0000000000400000-0x000000000266D000-memory.dmp

memory/924-468-0x0000000003ED0000-0x00000000042C8000-memory.dmp

memory/1020-469-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/924-470-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1020-472-0x0000000000360000-0x00000000003A0000-memory.dmp

memory/1020-474-0x0000000073320000-0x0000000073A0E000-memory.dmp

memory/924-475-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1348-480-0x0000000000460000-0x0000000000A48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1348-493-0x00000000005E0000-0x0000000000BC8000-memory.dmp