Malware Analysis Report

2024-11-30 23:23

Sample ID 231012-p662fsch75
Target b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377
SHA256 b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377
Tags
amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377

Threat Level: Known bad

The file b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer

Detected google phishing page

RedLine payload

Amadey

Glupteba

SystemBC

SmokeLoader

Modifies Windows Defender Real-time Protection settings

DcRat

Looks for VirtualBox Guest Additions in registry

Downloads MZ/PE file

Looks for VMWare Tools registry key

Modifies Windows Firewall

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of local email clients

Windows security modification

Checks computer location settings

.NET Reactor proctector

Maps connected drives based on registry

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of UnmapMainImage

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 12:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 12:57

Reported

2023-10-16 03:43

Platform

win7-20230831-en

Max time kernel

120s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\SysWOW64\WerFault.exe
PID 2068 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2748 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe

"C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 200

Network

N/A

Files

memory/2748-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-4-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-5-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-3-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2748-7-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-9-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2748-11-0x0000000000400000-0x000000000053D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 12:57

Reported

2023-10-16 03:42

Platform

win10v2004-20230915-en

Max time kernel

158s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\842A.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\842A.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\842A.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\75E1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5CC9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
N/A N/A C:\ProgramData\xicidp\tvqccq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4CB4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5051.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\517A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5341.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5804.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5A96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CC9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6352.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75E1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\ProgramData\xicidp\tvqccq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\517A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4CB4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\842A.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4536 set thread context of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 set thread context of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 set thread context of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1648 set thread context of 3392 N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2168 set thread context of 3636 N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1552 set thread context of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4920 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\4D61.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1832 set thread context of 4124 N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 set thread context of 4240 N/A C:\Users\Admin\AppData\Local\Temp\5051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5320 set thread context of 5668 N/A C:\Users\Admin\AppData\Local\Temp\6352.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 6980 set thread context of 6292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\842A.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\tvqccq.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
File opened for modification C:\Windows\Tasks\tvqccq.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4D61.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5051.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5804.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2609025996" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404192615" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C6358D11-6BD5-11EE-941E-CE3E7C77A9B8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000baca9472d60f084722f95f4f0af82bd828bb9c2c10513e838fb2a070fd8a8273000000000e8000000002000020000000f8298e181bd2ed1d47ce53d058ef0a28aa9bf338bbfbd3b61aa1619236b338b2200000001058679f81854db24c029ae3bf06b527cd0e7f57aa9ffe2bb510949925d75aed4000000017798a1a0e57acdf9c18489ff51f4daf548030e10de167dbb9ca9e2ca0b67877161403c9357a0c40ebcd0c6e87a280c25b5d836d9809d03c36345328845be13f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2598835866" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2598835866" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064034" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2095da9de2ffd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000003dbe0efb9b8af0e7368025fd9c9875cdcf36bd6df59aa2512d7085ea6b599139000000000e8000000002000020000000180ac98cff13af23bcb523a02058f84621049a725b5e8fb30668f7fd64bfcddf2000000069778e7634f8e6ef7a97ac9f37dc33303cdb2a98ed18be902e2becf82bad0044400000009b4641421eb3f813405d64841b70b8c88dcf8c5ee73783f83232838a14931daa070bb87b5fef540f431ec87812e26151a8eb994ad5e737e02f71e7a1118c2f93 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f02f019ee2ffd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-919254492-3979293997-764407192-1000\{D8998E84-17A7-46DD-AE2F-C03CA5E167D2} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\842A.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\842A.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4536 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 3232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe
PID 4748 wrote to memory of 3232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe
PID 4748 wrote to memory of 3232 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe
PID 3232 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe
PID 3232 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe
PID 3232 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe
PID 4532 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe
PID 4532 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe
PID 4532 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe
PID 4776 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe
PID 4776 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe
PID 4776 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe
PID 852 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
PID 852 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
PID 852 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1468 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
PID 852 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2068 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4776 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
PID 4776 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
PID 4776 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4816 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe
PID 4532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe
PID 4532 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe
PID 2400 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 2400 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 2400 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 3232 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe
PID 3232 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe
PID 3232 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe

"C:\Users\Admin\AppData\Local\Temp\b97cf8e14076f75497c53ea069997c4cd6275387907c210a5b45059c2c49c377.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4536 -ip 4536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 296

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1468 -ip 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 136

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 212

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1648 -ip 1648

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2176 -ip 2176

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2168 -ip 2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3636 -ip 3636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1400 -ip 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2228 CREDAT:17410 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2280 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3228 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4852 --field-trial-handle=1940,i,11701158013111701422,4383947121416871342,131072 /prefetch:8

C:\ProgramData\xicidp\tvqccq.exe

C:\ProgramData\xicidp\tvqccq.exe start2

C:\Users\Admin\AppData\Local\Temp\4CB4.exe

C:\Users\Admin\AppData\Local\Temp\4CB4.exe

C:\Users\Admin\AppData\Local\Temp\4D61.exe

C:\Users\Admin\AppData\Local\Temp\4D61.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F17.bat" "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 272

C:\Users\Admin\AppData\Local\Temp\5051.exe

C:\Users\Admin\AppData\Local\Temp\5051.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\517A.exe

C:\Users\Admin\AppData\Local\Temp\517A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\5341.exe

C:\Users\Admin\AppData\Local\Temp\5341.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4124 -ip 4124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2332 -ip 2332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\5804.exe

C:\Users\Admin\AppData\Local\Temp\5804.exe

C:\Users\Admin\AppData\Local\Temp\5A96.exe

C:\Users\Admin\AppData\Local\Temp\5A96.exe

C:\Users\Admin\AppData\Local\Temp\5CC9.exe

C:\Users\Admin\AppData\Local\Temp\5CC9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4204 -ip 4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0xbc,0x7ff9ab4546f8,0x7ff9ab454708,0x7ff9ab454718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 784

C:\Users\Admin\AppData\Local\Temp\6352.exe

C:\Users\Admin\AppData\Local\Temp\6352.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9ab4546f8,0x7ff9ab454708,0x7ff9ab454718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\75E1.exe

C:\Users\Admin\AppData\Local\Temp\75E1.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\842A.exe

C:\Users\Admin\AppData\Local\Temp\842A.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\842A.exe

C:\Users\Admin\AppData\Local\Temp\842A.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\cmd.exe

cmd /c

C:\Windows\system32\runas.exe

runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\842A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8491544700653647020,5971447175366869707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Skype.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM browser.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778

C:\Windows\system32\taskkill.exe

taskkill /F /IM iridium.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM uran.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM epic.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778

C:\Windows\system32\taskkill.exe

taskkill /F /IM sputnik.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 7star.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM centbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM amigo.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\taskkill.exe

taskkill /F /IM torch.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM kometa.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskkill.exe

taskkill /F /IM orbitum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM viber.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM WhatsApp.exe.

C:\Windows\system32\taskkill.exe

taskkill /F /IM monero-wallet-gui.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bc2d9758,0x7ff9bc2d9768,0x7ff9bc2d9778

C:\Windows\system32\taskkill.exe

taskkill /F /IM coinomi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM bytecoinwallet.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4632 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Windows\system32\taskkill.exe

taskkill /F /IM armoryqt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM atomicwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM exodus.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM electrum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dash-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM litecoin-qt.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1892,i,17559223162798447800,348858453544896858,131072 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\ProgramData\xicidp\tvqccq.exe

C:\ProgramData\xicidp\tvqccq.exe start2

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.251.36.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
NL 85.209.176.128:80 85.209.176.128 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 128.176.209.85.in-addr.arpa udp
IT 185.196.9.65:80 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 172.67.75.172:443 api.ip.sb tcp
N/A 224.0.0.251:5353 udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 4709bb49-3499-4bc6-a9c1-29a1394a1834.uuid.statsexplorer.org udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 server2.statsexplorer.org udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
N/A 127.0.0.1:3389 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server2.statsexplorer.org tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

memory/4748-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4748-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4748-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4748-3-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe

MD5 c302008479b50a25ee83216d74924844
SHA1 12d9d72b36fce99fc09b1abfa1cd51d0cb710dd9
SHA256 936cb73e29d4e53aaf2d2142de2fe11042df9601f20b4b716de443cf1b69e121
SHA512 eb8f1b5e6106b807832078c45342d7f9b70734f567df0b26aa2ea83d1402429c57692a20239c0554968330835ba16fd06fcaf265c02b73351eabdf7de3bfd444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4420781.exe

MD5 c302008479b50a25ee83216d74924844
SHA1 12d9d72b36fce99fc09b1abfa1cd51d0cb710dd9
SHA256 936cb73e29d4e53aaf2d2142de2fe11042df9601f20b4b716de443cf1b69e121
SHA512 eb8f1b5e6106b807832078c45342d7f9b70734f567df0b26aa2ea83d1402429c57692a20239c0554968330835ba16fd06fcaf265c02b73351eabdf7de3bfd444

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe

MD5 a0dda08e8fbcec210f91c7988b36de1a
SHA1 5df823c272b5e79a1cd8917058e79491f32f2cfb
SHA256 96d700df4e7024225c2b359d1e8fb2ad49054eea4f0bba28c27c3cdc0817c058
SHA512 903c48fdd647103d6e808f30b53c13617364331620efe0bd3b66034ae5243280bb480c9ac7cbaab77e708875a407df2b49011cd6fac9f1d3527f2edc76601ade

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9846316.exe

MD5 a0dda08e8fbcec210f91c7988b36de1a
SHA1 5df823c272b5e79a1cd8917058e79491f32f2cfb
SHA256 96d700df4e7024225c2b359d1e8fb2ad49054eea4f0bba28c27c3cdc0817c058
SHA512 903c48fdd647103d6e808f30b53c13617364331620efe0bd3b66034ae5243280bb480c9ac7cbaab77e708875a407df2b49011cd6fac9f1d3527f2edc76601ade

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe

MD5 3b34929cfd1cc155202298804a6fa762
SHA1 181683885d8db0e17c3def79d749ba67659e6027
SHA256 422236e2ebe00a9147f1f50f3ca62dfb0b4e8ca510e6362fdb689ee17f779084
SHA512 d9ce88b6ee9a40d4ea6a63fe6cc904af9e5dda9852cab9255b1c3eaad83fbb7dd78240176d18f0e60ef076551b799106056fc010bc510a4d4366ee46e929e455

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971971.exe

MD5 3b34929cfd1cc155202298804a6fa762
SHA1 181683885d8db0e17c3def79d749ba67659e6027
SHA256 422236e2ebe00a9147f1f50f3ca62dfb0b4e8ca510e6362fdb689ee17f779084
SHA512 d9ce88b6ee9a40d4ea6a63fe6cc904af9e5dda9852cab9255b1c3eaad83fbb7dd78240176d18f0e60ef076551b799106056fc010bc510a4d4366ee46e929e455

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe

MD5 8b16394c62cd54d441a143452e7280a1
SHA1 8cc3c7403cdd25be2ddb80803eefc346c3aed883
SHA256 7cc7edf16adbf5722eaaa2989ed2cfd13a3300b949c481089154e0e9ea97940a
SHA512 0651c406c1c4c437894bbbbd5540cc46ea9e1e0c453ab35930f9ba44c9b9c4e1103252b6db0a0de1fd430eaedf36b5882f7ca62b7d4ce420fc9d9f7e7a55f632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4170220.exe

MD5 8b16394c62cd54d441a143452e7280a1
SHA1 8cc3c7403cdd25be2ddb80803eefc346c3aed883
SHA256 7cc7edf16adbf5722eaaa2989ed2cfd13a3300b949c481089154e0e9ea97940a
SHA512 0651c406c1c4c437894bbbbd5540cc46ea9e1e0c453ab35930f9ba44c9b9c4e1103252b6db0a0de1fd430eaedf36b5882f7ca62b7d4ce420fc9d9f7e7a55f632

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe

MD5 7cd61bff4fbb074c1250f6c62d3c8164
SHA1 93bedda26183d75b32d8916d4bd4858b2f763ee7
SHA256 60792359fd2106928370ef6a123752a734790340ae29ee94118e08ba1f791182
SHA512 d82963d79b79d1f5e8bf8ee39ce9bb020a641f8ef8017d0935d8f2c6933efba01323a0df9622226130b6434b9162fe088027added18345099b73d761bd5a2221

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4513160.exe

MD5 7cd61bff4fbb074c1250f6c62d3c8164
SHA1 93bedda26183d75b32d8916d4bd4858b2f763ee7
SHA256 60792359fd2106928370ef6a123752a734790340ae29ee94118e08ba1f791182
SHA512 d82963d79b79d1f5e8bf8ee39ce9bb020a641f8ef8017d0935d8f2c6933efba01323a0df9622226130b6434b9162fe088027added18345099b73d761bd5a2221

memory/1752-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1752-40-0x0000000073C60000-0x0000000074410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe

MD5 eefd96e9c35afcec8397fc8247a69eb3
SHA1 bb5d397da629d8dd1d4781c50fd2fd366455860a
SHA256 c92fc37d97034f0d93af86deac3c88ed8983018d2fa7d9fc4297deaa95afb1fd
SHA512 6c69e4f34efa8b8c2436f089cbb48818a9279a1c2040fbd62e6f9e5cff6459b1808177df4208093bc06c95f24cde5df464a9961c63a595bf3ef8bd7d393d55e6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2014171.exe

MD5 eefd96e9c35afcec8397fc8247a69eb3
SHA1 bb5d397da629d8dd1d4781c50fd2fd366455860a
SHA256 c92fc37d97034f0d93af86deac3c88ed8983018d2fa7d9fc4297deaa95afb1fd
SHA512 6c69e4f34efa8b8c2436f089cbb48818a9279a1c2040fbd62e6f9e5cff6459b1808177df4208093bc06c95f24cde5df464a9961c63a595bf3ef8bd7d393d55e6

memory/2856-44-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2856-45-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2856-46-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2856-48-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe

MD5 af99ffc9e5879f2b9c090a7e09ec9e27
SHA1 c9366a13771eb34118a365ba448b07b03df2ec91
SHA256 917eeb6ba9dfe8abfa66df7ee3b6ef12a47eb7d02fe2c7177bb7c0692ca1b556
SHA512 711f2fab518d81fa3f1809bff023682da37e7649667872deefaac9bca3a717de92b5dfcb0427bcaeee0a238c328e2a7862fdd1e42d566ac01f9d095ee8c0c134

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8847273.exe

MD5 af99ffc9e5879f2b9c090a7e09ec9e27
SHA1 c9366a13771eb34118a365ba448b07b03df2ec91
SHA256 917eeb6ba9dfe8abfa66df7ee3b6ef12a47eb7d02fe2c7177bb7c0692ca1b556
SHA512 711f2fab518d81fa3f1809bff023682da37e7649667872deefaac9bca3a717de92b5dfcb0427bcaeee0a238c328e2a7862fdd1e42d566ac01f9d095ee8c0c134

memory/4240-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4240-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3628529.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe

MD5 e728acb250058069396e85b4eac242d1
SHA1 e75d9253f19b8aa4c98d08417c7538d748ae9742
SHA256 2b2b92f539c9a1861bb850b639cab0acc26844535e3191dadb21d3eb9beea005
SHA512 f6be776fa693197a7645b83e9754ba88223d24093423e0e69675bceebd0a174232ebde4dd5bbe176e41ef84c2c690616ab322877325890d43aa3720072d61495

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6562103.exe

MD5 e728acb250058069396e85b4eac242d1
SHA1 e75d9253f19b8aa4c98d08417c7538d748ae9742
SHA256 2b2b92f539c9a1861bb850b639cab0acc26844535e3191dadb21d3eb9beea005
SHA512 f6be776fa693197a7645b83e9754ba88223d24093423e0e69675bceebd0a174232ebde4dd5bbe176e41ef84c2c690616ab322877325890d43aa3720072d61495

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/4956-75-0x0000000002780000-0x00000000027B6000-memory.dmp

memory/3392-74-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4956-76-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/3392-83-0x0000000004F60000-0x0000000004F66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/3392-84-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/4748-85-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4956-86-0x0000000002800000-0x0000000002810000-memory.dmp

memory/4956-92-0x0000000002800000-0x0000000002810000-memory.dmp

memory/4956-89-0x0000000005260000-0x0000000005888000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/4956-95-0x00000000050F0000-0x0000000005112000-memory.dmp

memory/4956-96-0x0000000005A00000-0x0000000005A66000-memory.dmp

memory/4956-97-0x0000000005A70000-0x0000000005AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mh5uensl.gx5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/3392-107-0x00000000056A0000-0x0000000005CB8000-memory.dmp

memory/4956-110-0x0000000005C30000-0x0000000005F84000-memory.dmp

memory/3392-112-0x0000000005110000-0x0000000005122000-memory.dmp

memory/3392-119-0x0000000004F70000-0x0000000004F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 5ecf660444c5950f928f231c59e01ccf
SHA1 e92ba6431c28dd0280de17dce1c27baa987cf6b4
SHA256 521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307
SHA512 0d08a5e0668491ff40ea5d88664d1b7c8dd2d38e458c9650da98187c404d11743ddbe984cb43f417fa940ccf1574ee4d3ffc2c3ac3ab6fe045dbb51a722a9aca

memory/3392-120-0x0000000005170000-0x00000000051AC000-memory.dmp

memory/2516-124-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3392-133-0x00000000052E0000-0x000000000532C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe

MD5 fa74448a1606535fa9a3b88bdb8da11a
SHA1 69d7a5deb58d80fb10385db3ca067e671827b0a8
SHA256 64fe6ea989722a37b55c0911bca6d3ad5b5ffa04a643223c82bf7a247e85fb33
SHA512 c8a0ff76876e30a6570138bb1c2867f5cd67c7a1614babbfff6e4f7e67c417197c7ddfe6833daa723b4898605ed9527d57db8fd93eddf048629e4ee7ee1637fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\PY7xi2EX.exe

MD5 fa74448a1606535fa9a3b88bdb8da11a
SHA1 69d7a5deb58d80fb10385db3ca067e671827b0a8
SHA256 64fe6ea989722a37b55c0911bca6d3ad5b5ffa04a643223c82bf7a247e85fb33
SHA512 c8a0ff76876e30a6570138bb1c2867f5cd67c7a1614babbfff6e4f7e67c417197c7ddfe6833daa723b4898605ed9527d57db8fd93eddf048629e4ee7ee1637fb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe

MD5 26cc005cb9fd1a174a6918f0ae152e9d
SHA1 9f24dcb866b25e8352955fa8ee824d1eaeade486
SHA256 040350051a8ebe1bc763d8eb4d493bee7ade9499bcbdc6abd0b299cc02a01995
SHA512 fa1fd14dd50223c2b7c9d1e48968f0991fc25035ced629287e35ce9123d45285b0154c11bb17e079f74b92756d64467a2fb5002550294dc39ce65877d8dd63cd

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\Gq5LF2NL.exe

MD5 26cc005cb9fd1a174a6918f0ae152e9d
SHA1 9f24dcb866b25e8352955fa8ee824d1eaeade486
SHA256 040350051a8ebe1bc763d8eb4d493bee7ade9499bcbdc6abd0b299cc02a01995
SHA512 fa1fd14dd50223c2b7c9d1e48968f0991fc25035ced629287e35ce9123d45285b0154c11bb17e079f74b92756d64467a2fb5002550294dc39ce65877d8dd63cd

memory/4240-159-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe

MD5 049066f06e5f41ceeea64cd948f95bc4
SHA1 4d2d2d8bfa6134992c1f7217435445bc5af3f526
SHA256 5e4beedbcaec2307b46433b6f29be36c650f4214b7078b3f0b55c1fa4a81635c
SHA512 35dc2047d269b1eb7d91e1fdd39f11c8c520e88eadc24e2c0096effdb0b54ee66d89a626ac5f8c9da4bebab13be318bdca1883d01eaf4bd24a9c2d0a51d3be3b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er1Jb6pC.exe

MD5 049066f06e5f41ceeea64cd948f95bc4
SHA1 4d2d2d8bfa6134992c1f7217435445bc5af3f526
SHA256 5e4beedbcaec2307b46433b6f29be36c650f4214b7078b3f0b55c1fa4a81635c
SHA512 35dc2047d269b1eb7d91e1fdd39f11c8c520e88eadc24e2c0096effdb0b54ee66d89a626ac5f8c9da4bebab13be318bdca1883d01eaf4bd24a9c2d0a51d3be3b

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe

MD5 6f7a74a4a37fdd1828703d70ff2ee808
SHA1 de13b8d649635b04e15520a935207b69a7f8f652
SHA256 aa54e32bda477030edb9ff09131668c2be8b610f845720d75b3278feb0cf2ac3
SHA512 01937e248ba445f8447730c7057b83cace767a5dd4f1e91be8adfef735b2630f67191092f5d6e6959700f1eb52bfd92abe225c2ce09dfa9323d87c7a796ef79c

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe

MD5 e1fb9c32ee188e153ec4219285a696c2
SHA1 0f160b5ac9ffc7cd9079080f54601f70d05570de
SHA256 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5
SHA512 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

memory/4956-195-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/4748-197-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1fJ09tq5.exe

MD5 e1fb9c32ee188e153ec4219285a696c2
SHA1 0f160b5ac9ffc7cd9079080f54601f70d05570de
SHA256 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5
SHA512 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\GL2UB3gT.exe

MD5 6f7a74a4a37fdd1828703d70ff2ee808
SHA1 de13b8d649635b04e15520a935207b69a7f8f652
SHA256 aa54e32bda477030edb9ff09131668c2be8b610f845720d75b3278feb0cf2ac3
SHA512 01937e248ba445f8447730c7057b83cace767a5dd4f1e91be8adfef735b2630f67191092f5d6e6959700f1eb52bfd92abe225c2ce09dfa9323d87c7a796ef79c

memory/3148-152-0x0000000002D60000-0x0000000002D76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6385989.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 5ecf660444c5950f928f231c59e01ccf
SHA1 e92ba6431c28dd0280de17dce1c27baa987cf6b4
SHA256 521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307
SHA512 0d08a5e0668491ff40ea5d88664d1b7c8dd2d38e458c9650da98187c404d11743ddbe984cb43f417fa940ccf1574ee4d3ffc2c3ac3ab6fe045dbb51a722a9aca

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 5ecf660444c5950f928f231c59e01ccf
SHA1 e92ba6431c28dd0280de17dce1c27baa987cf6b4
SHA256 521f6870a363ff65470792799f32a31b9a55349765195a9c0e5e0d64ffa38307
SHA512 0d08a5e0668491ff40ea5d88664d1b7c8dd2d38e458c9650da98187c404d11743ddbe984cb43f417fa940ccf1574ee4d3ffc2c3ac3ab6fe045dbb51a722a9aca

memory/1752-121-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/3392-109-0x00000000051D0000-0x00000000052DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

memory/3636-200-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/3636-205-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3636-202-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1752-204-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/1400-210-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3636-209-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1400-208-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1400-212-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4956-213-0x0000000002800000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe

MD5 c7747b2f03c656c810bb2860db64bc9b
SHA1 7ac109f6b54a916cc50b13f21dd25afdf96b4c6f
SHA256 9d64dd96fec38e41895e114650bcb3eabc27b6e4298798139bb718e5f579675a
SHA512 259805152ec02c071aa2da2cf3d512a19d3b58be221579dcac47dda7986e8b1ec7dbff704907309a99549e48466a6547af64ab9dfab771aa22a254621bbe1ab1

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2gA840Qk.exe

MD5 c7747b2f03c656c810bb2860db64bc9b
SHA1 7ac109f6b54a916cc50b13f21dd25afdf96b4c6f
SHA256 9d64dd96fec38e41895e114650bcb3eabc27b6e4298798139bb718e5f579675a
SHA512 259805152ec02c071aa2da2cf3d512a19d3b58be221579dcac47dda7986e8b1ec7dbff704907309a99549e48466a6547af64ab9dfab771aa22a254621bbe1ab1

memory/2328-220-0x0000000000EE0000-0x0000000000F1E000-memory.dmp

memory/4956-218-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/4956-219-0x00000000065B0000-0x00000000065CA000-memory.dmp

memory/2328-221-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/4956-222-0x0000000006620000-0x0000000006642000-memory.dmp

memory/4956-217-0x0000000007110000-0x00000000071A6000-memory.dmp

memory/2328-223-0x0000000008150000-0x00000000086F4000-memory.dmp

memory/2328-224-0x0000000007CA0000-0x0000000007D32000-memory.dmp

memory/3392-225-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/4956-227-0x000000007F890000-0x000000007F8A0000-memory.dmp

memory/2328-231-0x0000000007D60000-0x0000000007D6A000-memory.dmp

memory/2328-232-0x0000000007E00000-0x0000000007E10000-memory.dmp

memory/4956-244-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/4956-242-0x0000000007430000-0x000000000744E000-memory.dmp

memory/4956-230-0x000000006E2D0000-0x000000006E31C000-memory.dmp

memory/4956-226-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/4956-245-0x0000000008390000-0x0000000008A0A000-memory.dmp

memory/4956-249-0x00000000075E0000-0x00000000075EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/4956-255-0x0000000002800000-0x0000000002810000-memory.dmp

memory/4956-258-0x0000000002800000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/4956-264-0x0000000007740000-0x0000000007751000-memory.dmp

memory/3392-265-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/4956-266-0x00000000075D0000-0x00000000075DE000-memory.dmp

memory/4956-267-0x0000000007D70000-0x0000000007D84000-memory.dmp

memory/4956-268-0x0000000007DB0000-0x0000000007DCA000-memory.dmp

memory/4956-269-0x0000000007D90000-0x0000000007D98000-memory.dmp

memory/4956-273-0x0000000073C60000-0x0000000074410000-memory.dmp

\??\pipe\crashpad_4280_AKDHRXJZGRHGIJLI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aab2c0ac341d244950bd1fc232f6cd54
SHA1 024cc43041e8f4e0a113e1c5eafa28dc7afe778d
SHA256 a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd
SHA512 8bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5c299516d30289451a38f8ade2003dd5
SHA1 e12c2f2c94452fe32c72f9a5c1a1e92a886f805e
SHA256 1c498285e1afac4f7f81277dced16959cc661678f0b58f8df5c3375ae90b8e73
SHA512 0758686914cd2b29677a897bd7c0fb4d0c39a5ef7ebd15cc2955d78ca1d60c242fc364711a252abda6250f97b4fb1e389f225140fa39ff50a99ce6d8635d3ccd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 1e1f8b1a3ef7ee88754319a03501e1a5
SHA1 a2b8ae1f11cc4dd980f52f29f5a74218cc6f3485
SHA256 cc26bdb27938793cdc557a3764e75627437260d97ef6dd0b21e14eac7b266f81
SHA512 9487228a74d14571d02463736c012eaf6090b240c979b7729a2268664d9fda145b49bf104cf56dcf0e58b341836d7ba10b3019ae18445c3524827b966e70508c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 1e1f8b1a3ef7ee88754319a03501e1a5
SHA1 a2b8ae1f11cc4dd980f52f29f5a74218cc6f3485
SHA256 cc26bdb27938793cdc557a3764e75627437260d97ef6dd0b21e14eac7b266f81
SHA512 9487228a74d14571d02463736c012eaf6090b240c979b7729a2268664d9fda145b49bf104cf56dcf0e58b341836d7ba10b3019ae18445c3524827b966e70508c

memory/2328-341-0x0000000073C60000-0x0000000074410000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M0XE9BAD\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cw5vowd\imagestore.dat

MD5 e886f898ed1b0a843146c2ac861706f1
SHA1 7b8f60825e8bfe8f180ec16699144a878ac57feb
SHA256 a45d7f16af51f2a21990c2368a8763319f131d78f7a47f8c29c95afb7c5feefe
SHA512 5b6cfd48f8bda26e02abe9a2f4a0acda498b86aee1e468f1ad9350f29a99edf97aee60b51650dd7f33a1b7b51583199dcd79a0599319c1a5a34ba27b68790caa

memory/2328-394-0x0000000007E00000-0x0000000007E10000-memory.dmp

C:\ProgramData\xicidp\tvqccq.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\ProgramData\xicidp\tvqccq.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4e71ea113c39c3054530f8e5ed464b38
SHA1 70b8e5d314a5030975083a486e8489caa14d538b
SHA256 bff8041b0cb2a6494f0e290cf703f878c3b275d7f150974b3c6443ee070c47a5
SHA512 a16406366b607f98237402b0473497a3e897542ff3ee49f7eccb45dc7ab60c4801365d6e0db37236d55b1d23613b16bbb3e7c8bf242c4390a0a07ebcc98e856f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dc5bf19545d4c94aedf3410e83bb54f2
SHA1 405517b3ac7753c5254b4e43c6f5c539ba8299bf
SHA256 9551cdaf05f524f0e6bdbdb63c13a804e87bb70273e192f6e12c6b1313e0ed8c
SHA512 5326b7c3415b77dd2d48aa6a309aeefb6ac7c16fae6c33437f8c51623bacb574849a49f1dd60999ee801181715c272ff35a0d168959ef7d7c6f3b411a4850ee5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 159034b95837394fc5dd6af6e4655dd8
SHA1 231668e3d3cb1ed365706343dde901102c7f6825
SHA256 6e3cae4b2ce760fcfba53e4c90a5e9e87264e36de1e397bf0d324611ae57fd92
SHA512 1a62aacea632c412e51bc7ba98b4aa1660a793c076dbfba33b72837b64539d40b57b38c6c5b30e3de03e7e4927c3dcdadc5ba624f2e3f74516ecb0704cff3734

C:\Users\Admin\AppData\Local\Temp\4CB4.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

C:\Users\Admin\AppData\Local\Temp\4CB4.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

C:\Users\Admin\AppData\Local\Temp\4D61.exe

MD5 e1fb9c32ee188e153ec4219285a696c2
SHA1 0f160b5ac9ffc7cd9079080f54601f70d05570de
SHA256 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5
SHA512 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

C:\Users\Admin\AppData\Local\Temp\4D61.exe

MD5 e1fb9c32ee188e153ec4219285a696c2
SHA1 0f160b5ac9ffc7cd9079080f54601f70d05570de
SHA256 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5
SHA512 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

MD5 02bb293d4d6bc0af5a2858909dccd5f9
SHA1 f39ed285b4265f8b1792cb0bbe94cd5ae617a13b
SHA256 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e
SHA512 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81

memory/1948-457-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1948-458-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1948-459-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1948-464-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4124-467-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4124-466-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4240-471-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2656-470-0x00000000020F0000-0x0000000002110000-memory.dmp

memory/4124-469-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2656-476-0x0000000002630000-0x000000000264E000-memory.dmp

memory/2656-475-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2656-477-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/2656-479-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-474-0x0000000073C60000-0x0000000074410000-memory.dmp

memory/2656-480-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-483-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-485-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-488-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-490-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-492-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-494-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-496-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-501-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-504-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-506-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-509-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-511-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-515-0x0000000002630000-0x0000000002648000-memory.dmp

memory/2656-517-0x0000000002630000-0x0000000002648000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00e9949caf010f9a76019545fec1564c
SHA1 2346cacecf725bf865c08f0dcf9037176e4fd39e
SHA256 624770baf36b26bd14ca668bbfb06bc6d1d7abfdc18b522bebfff385f9645e9a
SHA512 5004641a8b47594f5cce48ab0fa031392d1c5ebe3c376ad1d5c681a6f6aeaab4d301c8c7456b2baee21d8b621a9f3ea6cd9bdce8f97e586baa94a337fb9ceb23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7de99a9a0eb50e4f87dc3ba799f073f2
SHA1 cbd9a5c8771fcf65ef15e64381c682a555f090a9
SHA256 ac7834556fe5fcea6b228e6019ca7036a87d06e391dc10d43d0f72e9490bb5b4
SHA512 6e2d54651386e489c942c585af6e2e6280c3b0a610d5d69a599af9d86a0f2c9bc84d18987a1b9ee25e0b3eb440b563f0c7f66b0ad95dd4573a3267f42b13b8f7

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\tmp7CFC.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp7D60.tmp

MD5 6e98ae51f6cacb49a7830bede7ab9920
SHA1 1b7e9e375bd48cae50343e67ecc376cf5016d4ee
SHA256 192cd04b9a4d80701bb672cc3678912d1df8f6b987c2b4991d9b6bfbe8f011fd
SHA512 3e7cdda870cbde0655cc30c2f7bd3afee96fdfbe420987ae6ea2709089c0a8cbc8bb9187ef3b4ec3f6a019a9a8b465588b61029869f5934e0820b2461c4a9b2b

C:\Users\Admin\AppData\Local\Temp\tmp7DBA.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp7E10.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp7DF5.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp7DD0.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b7c03cd2df35b03488e8529e36ce9d89
SHA1 b1f0346d8098664615b30ee56662b2867c7ea45a
SHA256 7c6e8506e7d218395aa550d64678a7f2869cc65672942d74eefa893ae119887b
SHA512 ce6f91ff551b2a25ef82c167465e29fb3c83ac7a3550e6e8f3c470ef9851c9a624b8797615caa31bd41ff6873b9944b0d85dfc4b7fb35253f9f49d0daf53b2ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5ed9a117369545f72a95a20e7cccd232
SHA1 104bea5c996437bc6b6a841c5466f162c0d92bc9
SHA256 e24e2fad2096e28a532374b6db3dcaae55b271545480533be32b03b84576941b
SHA512 4e9d6765db24bfeb0aa74d028a3badff0959b9c2171052957d8777c13150094b7da48be5160a9b0690258133e126d259de8702daf58b27cd5f28a59fd3c08674

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 9e7dc0d7faf39fda09051a5663071307
SHA1 368ca45bdf815d8a3c38e846f5fba8e3835fad43
SHA256 a961cbe46942ca995cccdf9d02100b12f2c690e77deda91f8582f48d62138320
SHA512 124c215c302a37aa87a9fbc3e898e8024ac778c3c2d400b55a6ecbc59e8125229778eaa7da7eb389013e14c48b40330beedd14e2e3f4828800b004c01206703a

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0c459e65bcc6d38574f0c0d63a87088a
SHA1 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512 be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2ac6d3fcf6913b1a1ac100407e97fccb
SHA1 809f7d4ed348951b79745074487956255d1d0a9a
SHA256 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA512 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b5d85e60-cebf-40fa-9546-15251be752f4.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\NL10.127.0.129\Google Chrome\creditcard.txt

MD5 2a76b3e934844a2a713d509f764db633
SHA1 3c190760fc63f72319dcc8535626e5f4cf6f46ff
SHA256 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2
SHA512 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f2e318d049285be9bc7f19eba6b12a02
SHA1 398724297c3dfaaa9e06df6715c290e8297faace
SHA256 5ca73ce1f99810062dbafe47b44fa0b578049733dbc4a58b491acc4f3cbeab6f
SHA512 48bba97e4415eca02d7f9a052511bde5d4fad54a03738264860f02defddbafb1739b2b7b1ed0a5902e50e2470c7ca5455a4e70e68c5ac81d6d61aa0e3a1a78e6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 28e7db55a0dd84be4bd036f344dd660d
SHA1 c6c4562530a53dd35ba15d85245697e0a3cf0507
SHA256 275426e870fdb2820e029f14adc25b8c861f259246cb1b0414996347fb3bb3d4
SHA512 e67e65d7c85cb9fd3b85222e5bb089edd755331f432945652041fe5a1f1917621f3ffd3a12efa13c8a5e390b4cec56bf53bfbd7195caf25b52c67741dd4327cd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7e3f7ad5ffbb8dcc94e7bdeeadc6afe4
SHA1 f1e6dfbc72960ea4bf4348c48b58487afb2802ff
SHA256 aaaac66839cd1193da4657576558d9c123dc003c1abf4f9e71672daf9e12c440
SHA512 e0b1d00e3c9c73ad9f4c0d7734c843908fff9595f77ca1688e82945a70478c049c6116ddc6629212b0fb290c5fd260203f5e207b400fc4cf87f1190849fbcdaa

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M0XE9BAD\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 31b0a57af336ec8e93b3d7f7a854ff5c
SHA1 c26bce8287ca0e6cafd3167fccd3fd7e818325e2
SHA256 ddb29a7b99750b5e534815cc0efc9479b2743ad7d93e660cc256d80236f00a38
SHA512 5f163108c8764c249773a0fdb1ca0c5f8ffdd53c578875d381459f9fcf442994aa6a9432de87dde946a4fe97d425ecd08d4bd7757c896e36946cfe186e08d346