Malware Analysis Report

2025-01-23 08:54

Sample ID 231010-zg3mvaaa21
Target 63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c
SHA256 63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c
Tags
amadey dcrat glupteba healer redline rhadamanthys sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c

Threat Level: Known bad

The file 63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline rhadamanthys sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lutyr magia

Glupteba payload

Modifies Windows Defender Real-time Protection settings

Glupteba

Detect rhadamanthys stealer shellcode

RedLine payload

DcRat

SectopRAT

Rhadamanthys

Amadey

Detects Healer an antivirus disabler dropper

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

SectopRAT payload

RedLine

Healer

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Windows security modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 20:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 20:42

Reported

2023-10-10 21:11

Platform

win7-20230831-en

Max time kernel

177s

Max time network

209s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2064 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\7BFD.exe C:\Windows\Explorer.EXE
PID 1652 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE
PID 1652 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe C:\Windows\Explorer.EXE

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE7E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E034.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E8AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\260D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BFD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\B56A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231010211015.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F2EB.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6C05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7BFD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2776 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\SysWOW64\WerFault.exe
PID 2776 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\SysWOW64\WerFault.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2508 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B56A.exe
PID 1212 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DE7E.exe
PID 1212 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DE7E.exe
PID 1212 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DE7E.exe
PID 1212 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DE7E.exe
PID 2548 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\DE7E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\DE7E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\DE7E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\DE7E.exe C:\Windows\SysWOW64\WerFault.exe
PID 1212 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E034.bat
PID 1212 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E034.bat
PID 1212 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E034.bat
PID 1212 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E034.bat
PID 2484 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\E034.bat C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\E034.bat C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\E034.bat C:\Windows\system32\cmd.exe
PID 2484 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\E034.bat C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2852 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8AD.exe
PID 1212 wrote to memory of 2852 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8AD.exe
PID 1212 wrote to memory of 2852 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8AD.exe
PID 1212 wrote to memory of 2852 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E8AD.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2508 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\B56A.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 2304 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F2EB.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F2EB.exe
PID 1212 wrote to memory of 1448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F2EB.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\E8AD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\E8AD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\E8AD.exe C:\Windows\SysWOW64\WerFault.exe
PID 2852 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\E8AD.exe C:\Windows\SysWOW64\WerFault.exe
PID 1344 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe
PID 1344 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe

"C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 68

C:\Users\Admin\AppData\Local\Temp\B56A.exe

C:\Users\Admin\AppData\Local\Temp\B56A.exe

C:\Users\Admin\AppData\Local\Temp\DE7E.exe

C:\Users\Admin\AppData\Local\Temp\DE7E.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 132

C:\Users\Admin\AppData\Local\Temp\E034.bat

"C:\Users\Admin\AppData\Local\Temp\E034.bat"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F122.tmp\F123.tmp\F124.bat C:\Users\Admin\AppData\Local\Temp\E034.bat"

C:\Users\Admin\AppData\Local\Temp\E8AD.exe

C:\Users\Admin\AppData\Local\Temp\E8AD.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

C:\Users\Admin\AppData\Local\Temp\F2EB.exe

C:\Users\Admin\AppData\Local\Temp\F2EB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 132

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

C:\Users\Admin\AppData\Local\Temp\F675.exe

C:\Users\Admin\AppData\Local\Temp\F675.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 280

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\260D.exe

C:\Users\Admin\AppData\Local\Temp\260D.exe

C:\Users\Admin\AppData\Local\Temp\56CE.exe

C:\Users\Admin\AppData\Local\Temp\56CE.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 524

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\5C3C.exe

C:\Users\Admin\AppData\Local\Temp\5C3C.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 508

C:\Users\Admin\AppData\Local\Temp\6C05.exe

C:\Users\Admin\AppData\Local\Temp\6C05.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7BFD.exe

C:\Users\Admin\AppData\Local\Temp\7BFD.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {8A5F9CB1-424F-450D-9500-247245527916} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\aeraetb

C:\Users\Admin\AppData\Roaming\aeraetb

C:\Users\Admin\AppData\Local\Temp\7BFD.exe

C:\Users\Admin\AppData\Local\Temp\7BFD.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010211015.log C:\Windows\Logs\CBS\CbsPersist_20231010211015.cab

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 amx395.xyz udp
DE 185.234.72.86:80 amx395.xyz tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.75.172:443 api.ip.sb tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp

Files

memory/2656-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2656-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1212-5-0x0000000002F40000-0x0000000002F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B56A.exe

MD5 26e16643800e11da6d23a668fe5bffc4
SHA1 f3395c143dc6da867b784da8c55c84673c20403a
SHA256 b6509e5dc57e9c64f02a41436d7f083981c39bd44e66570f553e2c012aa895c0
SHA512 e17f8d29e768268e32f2c8c5f1ec57f62496c0caf5c9b1c03c6c918aa5e6ae2fcd8156853e118f0834545ab8b04b9e731d8f8ae67a1527a8b0882f7373c60841

C:\Users\Admin\AppData\Local\Temp\DE7E.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

C:\Users\Admin\AppData\Local\Temp\B56A.exe

MD5 26e16643800e11da6d23a668fe5bffc4
SHA1 f3395c143dc6da867b784da8c55c84673c20403a
SHA256 b6509e5dc57e9c64f02a41436d7f083981c39bd44e66570f553e2c012aa895c0
SHA512 e17f8d29e768268e32f2c8c5f1ec57f62496c0caf5c9b1c03c6c918aa5e6ae2fcd8156853e118f0834545ab8b04b9e731d8f8ae67a1527a8b0882f7373c60841

\Users\Admin\AppData\Local\Temp\DE7E.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

\Users\Admin\AppData\Local\Temp\DE7E.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

\Users\Admin\AppData\Local\Temp\DE7E.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

\Users\Admin\AppData\Local\Temp\DE7E.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

C:\Users\Admin\AppData\Local\Temp\E034.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\E034.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

\Users\Admin\AppData\Local\Temp\B56A.exe

MD5 26e16643800e11da6d23a668fe5bffc4
SHA1 f3395c143dc6da867b784da8c55c84673c20403a
SHA256 b6509e5dc57e9c64f02a41436d7f083981c39bd44e66570f553e2c012aa895c0
SHA512 e17f8d29e768268e32f2c8c5f1ec57f62496c0caf5c9b1c03c6c918aa5e6ae2fcd8156853e118f0834545ab8b04b9e731d8f8ae67a1527a8b0882f7373c60841

C:\Users\Admin\AppData\Local\Temp\E8AD.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

C:\Users\Admin\AppData\Local\Temp\F122.tmp\F123.tmp\F124.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

C:\Users\Admin\AppData\Local\Temp\F2EB.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\F2EB.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

\Users\Admin\AppData\Local\Temp\E8AD.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

\Users\Admin\AppData\Local\Temp\E8AD.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

\Users\Admin\AppData\Local\Temp\E8AD.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

\Users\Admin\AppData\Local\Temp\E8AD.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

C:\Users\Admin\AppData\Local\Temp\F675.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\F675.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1448-135-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/1448-136-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\260D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\260D.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/2960-141-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/2960-142-0x0000000000E00000-0x0000000001D2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1696-150-0x0000000000230000-0x000000000028A000-memory.dmp

memory/1448-154-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

memory/1696-156-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/1696-157-0x0000000073750000-0x0000000073E3E000-memory.dmp

\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

\Users\Admin\AppData\Local\Temp\56CE.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\5C3C.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\5C3C.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/1740-196-0x0000000002430000-0x0000000002530000-memory.dmp

memory/1948-199-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/1740-198-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2400-201-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/2240-192-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2240-202-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/2240-188-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2400-203-0x00000000000E0000-0x00000000005F6000-memory.dmp

memory/1948-205-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/1944-207-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1944-204-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1948-208-0x0000000004190000-0x0000000004A7B000-memory.dmp

memory/1944-214-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2960-215-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/932-216-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/932-217-0x0000000000BE0000-0x0000000000BFE000-memory.dmp

memory/2960-219-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1948-220-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1448-221-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

memory/2400-223-0x0000000005180000-0x00000000051C0000-memory.dmp

memory/1804-226-0x0000000001270000-0x000000000145A000-memory.dmp

memory/1696-227-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1804-228-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1804-229-0x0000000004BD0000-0x0000000004C10000-memory.dmp

memory/2400-230-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1948-231-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/2400-232-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/1804-233-0x0000000001060000-0x00000000010DC000-memory.dmp

memory/1804-234-0x0000000001190000-0x0000000001208000-memory.dmp

memory/1804-235-0x0000000004A60000-0x0000000004AC8000-memory.dmp

memory/1212-237-0x0000000002F80000-0x0000000002F96000-memory.dmp

memory/1944-238-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1948-236-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2240-242-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1804-244-0x0000000000820000-0x000000000086C000-memory.dmp

memory/932-243-0x0000000004080000-0x00000000040C0000-memory.dmp

memory/1948-245-0x0000000004190000-0x0000000004A7B000-memory.dmp

memory/932-246-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/2064-247-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2064-248-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2064-249-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2064-250-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2064-252-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2064-254-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2064-256-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1804-257-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/1652-258-0x000000013F0D0000-0x000000013F671000-memory.dmp

memory/2400-259-0x0000000005180000-0x00000000051C0000-memory.dmp

memory/2064-260-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2064-261-0x0000000000C60000-0x0000000001060000-memory.dmp

memory/2064-262-0x0000000000C60000-0x0000000001060000-memory.dmp

memory/2064-263-0x0000000000C60000-0x0000000001060000-memory.dmp

memory/2064-264-0x0000000000C60000-0x0000000001060000-memory.dmp

memory/1948-265-0x0000000000400000-0x000000000266D000-memory.dmp

memory/932-266-0x0000000004080000-0x00000000040C0000-memory.dmp

memory/2400-274-0x00000000009D0000-0x00000000009EC000-memory.dmp

memory/2400-275-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-276-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-278-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-280-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-282-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-284-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-286-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-288-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-290-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-292-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-294-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-296-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-298-0x00000000009D0000-0x00000000009E5000-memory.dmp

memory/2400-309-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/340-312-0x0000000000060000-0x0000000000063000-memory.dmp

memory/384-317-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2400-318-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/2064-328-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2064-329-0x0000000000400000-0x0000000000473000-memory.dmp

memory/1948-343-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2332-344-0x0000000003E90000-0x0000000004288000-memory.dmp

memory/2332-345-0x0000000004290000-0x0000000004B7B000-memory.dmp

memory/2332-346-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2332-353-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2332-354-0x0000000003E90000-0x0000000004288000-memory.dmp

memory/384-356-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1808-357-0x0000000004000000-0x00000000043F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1808-363-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\CabE8DB.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2808-382-0x000000001B230000-0x000000001B512000-memory.dmp

memory/2808-383-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/2808-399-0x00000000027C4000-0x00000000027C7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 20:42

Reported

2023-10-10 21:09

Platform

win10v2004-20230915-en

Max time kernel

48s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3142.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FB5A.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DB.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F608.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FF05.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5088 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1980 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F608.exe
PID 1980 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F608.exe
PID 1980 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Temp\F608.exe
PID 4804 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\F608.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 4804 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\F608.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 4804 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\F608.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe
PID 1552 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 1552 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 1552 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe
PID 1980 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe
PID 1980 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe
PID 1980 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe
PID 2668 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe
PID 2668 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe
PID 2668 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe
PID 976 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe
PID 976 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe
PID 976 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe
PID 1980 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB5A.bat
PID 1980 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB5A.bat
PID 1980 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB5A.bat
PID 2196 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe
PID 2196 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe
PID 2196 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4424 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\FA30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1980 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE29.exe
PID 1980 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE29.exe
PID 1980 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FE29.exe
PID 1436 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\FB5A.bat C:\Windows\system32\cmd.exe
PID 1436 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\FB5A.bat C:\Windows\system32\cmd.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1952 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1980 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF05.exe
PID 1980 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF05.exe
PID 1980 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.exe
PID 1980 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.exe
PID 1980 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.exe
PID 2028 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\FE29.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe

"C:\Users\Admin\AppData\Local\Temp\63e7e9b68f356715d1355faf4474753487c07fbdcb3c06a34a9c299d53515b1c.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5088 -ip 5088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 140

C:\Users\Admin\AppData\Local\Temp\F608.exe

C:\Users\Admin\AppData\Local\Temp\F608.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

C:\Users\Admin\AppData\Local\Temp\FA30.exe

C:\Users\Admin\AppData\Local\Temp\FA30.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

C:\Users\Admin\AppData\Local\Temp\FB5A.bat

"C:\Users\Admin\AppData\Local\Temp\FB5A.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4424 -ip 4424

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC03.tmp\FC04.tmp\FC05.bat C:\Users\Admin\AppData\Local\Temp\FB5A.bat"

C:\Users\Admin\AppData\Local\Temp\FE29.exe

C:\Users\Admin\AppData\Local\Temp\FE29.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1952 -ip 1952

C:\Users\Admin\AppData\Local\Temp\FF05.exe

C:\Users\Admin\AppData\Local\Temp\FF05.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2768 -ip 2768

C:\Users\Admin\AppData\Local\Temp\DB.exe

C:\Users\Admin\AppData\Local\Temp\DB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 384

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ik712VL.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ik712VL.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeb13a46f8,0x7ffeb13a4708,0x7ffeb13a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb13a46f8,0x7ffeb13a4708,0x7ffeb13a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3142.exe

C:\Users\Admin\AppData\Local\Temp\3142.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8774372969419189774,8678830168175947676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\6B8D.exe

C:\Users\Admin\AppData\Local\Temp\6B8D.exe

C:\Users\Admin\AppData\Local\Temp\6DE0.exe

C:\Users\Admin\AppData\Local\Temp\6DE0.exe

C:\Users\Admin\AppData\Local\Temp\7052.exe

C:\Users\Admin\AppData\Local\Temp\7052.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 20.114.59.183:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
NL 142.250.179.195:443 udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 tak.soydet.top udp
NL 142.250.179.195:443 tcp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
FI 77.91.124.1:80 tcp
US 52.111.227.13:443 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server2.cdntokiog.studio udp
US 8.8.8.8:53 cdn.discordapp.com udp
SG 74.125.24.127:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.49:443 server2.cdntokiog.studio tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/4580-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4580-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1980-2-0x0000000002AF0000-0x0000000002B06000-memory.dmp

memory/4580-5-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F608.exe

MD5 26e16643800e11da6d23a668fe5bffc4
SHA1 f3395c143dc6da867b784da8c55c84673c20403a
SHA256 b6509e5dc57e9c64f02a41436d7f083981c39bd44e66570f553e2c012aa895c0
SHA512 e17f8d29e768268e32f2c8c5f1ec57f62496c0caf5c9b1c03c6c918aa5e6ae2fcd8156853e118f0834545ab8b04b9e731d8f8ae67a1527a8b0882f7373c60841

C:\Users\Admin\AppData\Local\Temp\F608.exe

MD5 26e16643800e11da6d23a668fe5bffc4
SHA1 f3395c143dc6da867b784da8c55c84673c20403a
SHA256 b6509e5dc57e9c64f02a41436d7f083981c39bd44e66570f553e2c012aa895c0
SHA512 e17f8d29e768268e32f2c8c5f1ec57f62496c0caf5c9b1c03c6c918aa5e6ae2fcd8156853e118f0834545ab8b04b9e731d8f8ae67a1527a8b0882f7373c60841

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UD6Nc0Qd.exe

MD5 a18283afb2aae9c440b749f41eb23c42
SHA1 1090de0f48e997dc328312b3ffab7586029c0138
SHA256 e68c2f69d853606257c37a1e36a52a17b22b49593126adc0a2540ba316fb1d2d
SHA512 0bf8c00e37332699dd387c93eb1fbe801f4a7725bfb26863acd3b3392cb3772b768cf62edd7c5d2df2c8c2cbbfe054f42f7b8c8055be8232f9c4eaf4ac922da7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

C:\Users\Admin\AppData\Local\Temp\FA30.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

C:\Users\Admin\AppData\Local\Temp\FA30.exe

MD5 3573958cb38edffb8315c24dd715bd87
SHA1 6f78fe8ef4c0015da6df4183fe7e6226e629bf4c
SHA256 f2e98024fa0363c4199c28a2b8c25d621fe5beff48a65b06009263ad5005e8a8
SHA512 2b12a58dc5373caf2695ef6842cfb7296929e3bfb604a5c7a3a1030928c24e8ae602221ef68458b7b3efcd698c05c25f352dfc21b3551cf6809e55ff3175a686

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bP4YC6nA.exe

MD5 56d9fbce98df03bad77c09372964d861
SHA1 15254dcce30064aebc7021dc39136deb562bf6d2
SHA256 59cd12882e61f870ac687865c0db70a7c8e7a326bcaae1503e91044672bb8eb0
SHA512 f82d69c59c94876f3dfb0d86eb9e0206b216fc2392633d1805cbed7d5b252280a1a670973d0dd4ce063e29cc32f8cbdf9f9933178d0a572c91d923578e9a0ed4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JR1ro8Xb.exe

MD5 8421f6b463d0612dec16db3e0c029f2f
SHA1 d90d59dd217a0cdc2c7e808d6f97f2fa0ed949b9
SHA256 928bccfe9b0c43f6d915f8b08d4e5a385a12736686da90b913f40966313523f9
SHA512 f75c86034d090a626008e9fbd8a087e9a136a04a865fe1767166069718daaeb1140be31f3b4d99f63719f223586afdebf97c828771ea2622f5d9d3d843490230

C:\Users\Admin\AppData\Local\Temp\FB5A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1RN09Xh9.exe

MD5 4e10fde88dd9d2d63f426599a292444e
SHA1 aab6ffd77142b05a285bdfe17a0d81b9f104a144
SHA256 deca3ae35cab3253c52e03468f324bd45922c0e2eab9cf453eede5d75cdaad8e
SHA512 6d9b64a47ffc5e4dfd947da76833bad56be34a57993b55cbceb8f48be0ec556f3367eb78b05e93fcfed5d9a879770148bee74dc0da4f762b5f98d7c1efe527f8

C:\Users\Admin\AppData\Local\Temp\FB5A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\FB5A.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JD8xi3ZV.exe

MD5 aacac442fd439606eb6122177bea54ec
SHA1 a8b58402a720b454802a188d5906fd1df6ec01b3
SHA256 d95b2814893ec3043908919a2c73c24ba006c589c6ad49d3cfc31dfe7e134265
SHA512 c1c73a8985d9b2bf836309b4e853ffe37e582716b400b71ed363b5af954f4c562d35038c0155f915f87668499273d3131cbb63f3854f388aa971f3547719847d

memory/3708-59-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3708-60-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3708-61-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FE29.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

C:\Users\Admin\AppData\Local\Temp\FE29.exe

MD5 387577cb83814176b06f8f0631fea132
SHA1 a204ff6e96ff6e6e4cbcc8d6e855132180591449
SHA256 1d7bbec9f8fa7660280d7c70ac3c7ac52415b8646d03f84644afc2acd0ade8ea
SHA512 af799a35c5b4f6badd7e63784e5c446d9bf4c5b4ee434d8d91e77e368d6b0f626312c9e942ee948e913772327bfb4294286577b29686935bfd4e8f0363fd417c

memory/3708-58-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2768-69-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2216-72-0x0000000000E60000-0x0000000000E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF05.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\FF05.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\DB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2216-79-0x00007FFEB3F00000-0x00007FFEB49C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3280-83-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2768-75-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2768-73-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3280-84-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/3708-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3280-93-0x0000000008100000-0x00000000086A4000-memory.dmp

memory/3280-94-0x0000000007BF0000-0x0000000007C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/4580-101-0x0000000000410000-0x000000000044E000-memory.dmp

memory/4580-102-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/3280-100-0x0000000007BA0000-0x0000000007BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ik712VL.exe

MD5 bc0a6049eecddb65511b6c817c98e1ef
SHA1 5caa207b6abf9144c6feb9bffcff3a8a076241ee
SHA256 25823e6984c9b840c119386ef6ffe881aad8b16f00d6e8e3129c3ebec0702395
SHA512 a5b9959cc7b5ca98093430d51d10e971849865120865bf3b6ee303b4437a00a127289e2971412f47cce3e394cb81e07373367dd923cb75babb6b138fc66d0f94

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ik712VL.exe

MD5 bc0a6049eecddb65511b6c817c98e1ef
SHA1 5caa207b6abf9144c6feb9bffcff3a8a076241ee
SHA256 25823e6984c9b840c119386ef6ffe881aad8b16f00d6e8e3129c3ebec0702395
SHA512 a5b9959cc7b5ca98093430d51d10e971849865120865bf3b6ee303b4437a00a127289e2971412f47cce3e394cb81e07373367dd923cb75babb6b138fc66d0f94

memory/4580-103-0x00000000073D0000-0x00000000073E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FC03.tmp\FC04.tmp\FC05.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

memory/3280-95-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

memory/4580-104-0x0000000008280000-0x0000000008898000-memory.dmp

memory/3280-105-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

memory/3280-106-0x0000000007E20000-0x0000000007E32000-memory.dmp

memory/4580-107-0x00000000074C0000-0x00000000074FC000-memory.dmp

memory/3280-108-0x0000000008000000-0x000000000804C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

\??\pipe\LOCAL\crashpad_3320_DFLVTKRXLSSQZYRX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5d7f9e0da707a2bcaca0cefe2ee78be0
SHA1 cde0af710ee29cce9c480e55562755a73d253d10
SHA256 c5fb882cda963e5a3f7d06f0345e03ae9958723cdc6364289136dcc3e9b30ff2
SHA512 e597cb1e2211101c5de6bae0567b3172233dd0a0d7697d03e778f88660a9370cfaacb7f1d7a404b8969c2ac80b77bdac4692fc368eb7e758355a445d839e7eef

memory/2216-200-0x00007FFEB3F00000-0x00007FFEB49C1000-memory.dmp

memory/3280-216-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/2216-218-0x00007FFEB3F00000-0x00007FFEB49C1000-memory.dmp

memory/3280-226-0x0000000007BE0000-0x0000000007BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4580-238-0x00000000724E0000-0x0000000072C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3142.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\3142.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/4580-242-0x00000000073D0000-0x00000000073E0000-memory.dmp

memory/5248-243-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/5248-244-0x0000000000110000-0x000000000103A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5564-278-0x00000000007E0000-0x0000000000CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5564-277-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/5564-283-0x0000000005720000-0x0000000005730000-memory.dmp

memory/5248-282-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/5564-285-0x0000000005830000-0x00000000058CC000-memory.dmp

memory/5564-284-0x0000000003040000-0x0000000003041000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eda8be757485fc3450d19d77f248a909
SHA1 8962da6aa2d1527edc0cc15f9538abcfb5b73f1b
SHA256 26145e6db2b1a3d246aa08074c3c46d2834fa48300590e767b4bf25248d5c963
SHA512 c50520045a785f5c4c65ca6883270217032a740c221d7455f1469399b19bb18e9509b9fc4fe63371a36a086aa7c69ed00a8813d765296a466066c9fcdcb977d2

memory/4232-292-0x00000000025F0000-0x00000000026F0000-memory.dmp

memory/4232-293-0x00000000023E0000-0x00000000023E9000-memory.dmp

memory/4496-296-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/4496-294-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ae649795fe52b72dc601c721a3f401d2
SHA1 e64417a5cecfd6129e3ca49969814fafe82b0458
SHA256 3ff9a382c56cbde62b198c4ddd31354faf0896887358c9eeaa9dabd1069baae2
SHA512 7049e94a85948ac5c158f3be8227c7648aa443956ce0359712011d74722bb8056d9150c42e7a15aec50b0f99088a8ea821498d34c4b6927a84bc1ca1a3981a36

memory/5556-307-0x0000000004320000-0x0000000004719000-memory.dmp

memory/5556-310-0x0000000004720000-0x000000000500B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 10f5b64000466c1e6da25fb5a0115924
SHA1 cb253bacf2b087c4040eb3c6a192924234f68639
SHA256 d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA512 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

memory/5556-320-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5564-328-0x0000000005720000-0x0000000005730000-memory.dmp

memory/5564-327-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/5988-326-0x0000000004660000-0x0000000004696000-memory.dmp

memory/5988-329-0x00000000724E0000-0x0000000072C90000-memory.dmp

memory/5988-330-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/5988-332-0x0000000005560000-0x00000000055C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1oj410k.43q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5988-335-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/5988-331-0x0000000004D50000-0x0000000004D72000-memory.dmp

memory/5988-343-0x00000000056B0000-0x0000000005A04000-memory.dmp

memory/5988-344-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/4496-346-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1980-345-0x00000000028C0000-0x00000000028D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/5556-351-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5988-352-0x00000000061B0000-0x00000000061F4000-memory.dmp

memory/5556-353-0x0000000004320000-0x0000000004719000-memory.dmp

memory/5656-354-0x00007FF69E120000-0x00007FF69E6C1000-memory.dmp

memory/5556-355-0x0000000004720000-0x000000000500B000-memory.dmp

memory/5988-357-0x0000000006F70000-0x0000000006FE6000-memory.dmp

memory/5988-356-0x0000000004780000-0x0000000004790000-memory.dmp

memory/5988-358-0x0000000007670000-0x0000000007CEA000-memory.dmp

memory/5988-359-0x0000000007010000-0x000000000702A000-memory.dmp

memory/5564-360-0x0000000005A60000-0x0000000005A7C000-memory.dmp

memory/5564-362-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-366-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-370-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-378-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-384-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/3700-385-0x0000000000400000-0x000000000047F000-memory.dmp

memory/3700-386-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5988-389-0x00000000071E0000-0x0000000007212000-memory.dmp

memory/5988-390-0x0000000073330000-0x000000007337C000-memory.dmp

memory/5988-392-0x000000006C370000-0x000000006C6C4000-memory.dmp

memory/5564-394-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

memory/5988-404-0x00000000071C0000-0x00000000071DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B8D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5564-393-0x00000000724E0000-0x0000000072C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B8D.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

memory/5556-391-0x0000000000400000-0x000000000266D000-memory.dmp

memory/3700-388-0x0000000000400000-0x000000000047F000-memory.dmp

memory/5564-382-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-380-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-376-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-374-0x0000000005A60000-0x0000000005A75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DE0.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/4100-419-0x00000000020A0000-0x00000000020FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DE0.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/5564-372-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-368-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-364-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5564-361-0x0000000005A60000-0x0000000005A75000-memory.dmp

memory/5192-432-0x00000000001D0000-0x00000000001EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7052.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\7052.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7c72cb12b63a29e560bdce2b6571b7e3
SHA1 d1dce8c3c3e2d2667a03ea2273f7c6bd5d0c03df
SHA256 cfad2bd59ec2bbd82af7d679c221daf187fae8dd838ac362d3b2b1e0f45132e0
SHA512 bd3471fb049c9d468b1e70e5e24d251f154776e81db4d2b2252f724134bdf9503d154638b18c7cd35e5fe78daec1d16b0694f5b56b606211c0de69bf4f8c4da6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587bd2.TMP

MD5 b082cbde45349aeaab5d6ea123d9902c
SHA1 e2a6c9a709dcf79fe0fd8d13834ee48b14aaa9fa
SHA256 38d9636ba59c18e59dd8a5e5d64398a4e7c73cab734607ed6ec4e7567b770e05
SHA512 6d2e9a496c7910595fdd5cdc7ef95cdec5524137a10ace419062612da894f8c779d802dcf26cc03e48a28ddc522bb798c9207fb624737300c84c4d3501d59dab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c85b275ea0e63b151656311847a4e31a
SHA1 f1d13e3d62ebb2bc8de4446dfad18b847d7e3345
SHA256 89b6fbcb584d8ec3c01bb4a5afe0d1d7b6d44e8cab72044ad91c30301c699d8b
SHA512 1fc21e412eebf0fe5e8ef59baa7f0565f44f5524fafc6ed08ae277b60402d4badcf4ef0d5287f508b0cc3757fd5ae992db3fe6934384bfcd60d27e3914d7e60f

memory/5556-477-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

memory/5556-483-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3bf1d86ae432d98f98ef87a09dec33a0
SHA1 6f883a5ad1188e394e0792dd01fba5cd409d3dc7
SHA256 09ea9c549dbd4fe2d697ac18317a6eb038de8d178fe0db85de37ef32ab77a4bb
SHA512 7b45e6886199ee3ba776f8063342031f7f2774bc093e2150c95248f9336002eb42d32067b3d983ae2b0d1fc067ce2e9da949fb01eaffafbd54623451a6bc0fcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 749bf12469927bc940c4ba67ba95ad8a
SHA1 28d99ee854fc71787adbd9da00298265a86f47ab
SHA256 9da730832a80e004c0a9c2114864fba0bec73ba836d6d22fe218457e31774b15
SHA512 16646c961691c29cb3b5c7c9fbb28af07ca5dc0ea461dd7a1eea149f027134ff0c2157e19c620852f456958c5a323bfc2245c54377fcf273367ee5cc928a5e40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 0f18ec8020be60b4a0ff180d81952aa8
SHA1 d7e79e98f7f566b55e598b765b3af0427a40a1c5
SHA256 c8fe570f3f04b6b76e59af14a5f3bd3c2a2f9d80fea77b0b2cad983b3b63930f
SHA512 224d591131537ddd59e51989c164a7e919e1c360ea9d5b18a469c6a3ad6d1e8027f9fb2e781cde55e96608141fa2ab8cef312ed7c0ac4fdc2d9327db9a8c2d59

C:\Users\Admin\AppData\Local\Temp\tmpA072.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpA097.tmp

MD5 afa13f3defcd7a3454d106cf6abbf911
SHA1 c5bb2e376d265d252edbcea4252580c7f44ee741
SHA256 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0
SHA512 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203

C:\Users\Admin\AppData\Local\Temp\tmpA0DE.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpA119.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmpA0D8.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpA0C3.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 03cc44719acbebcf5716d57743e71f95
SHA1 cf77b14ebeb929f0ebdca96287fc0368b7d836f8
SHA256 6dd77664d642f6a0ac41f5e5fc6580c42ea70fd59a01cd475decfafde3bae73a
SHA512 b5bb29f25d39a5972850d2a2219fbf075b7f2c940c4c89d947259e3b7219ad7180c20cea063d98160405d596f1011c8b53726d3825c076e902a1bab7e57f3c08

memory/5760-724-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/5656-792-0x00007FF69E120000-0x00007FF69E6C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4