Malware Analysis Report

2024-11-30 23:24

Sample ID 231012-p6jwxsch38
Target 94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408
SHA256 94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408
Tags
amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408

Threat Level: Known bad

The file 94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan

SmokeLoader

Healer

SystemBC

Detected google phishing page

Modifies Windows Defender Real-time Protection settings

RedLine

Amadey

Detects Healer an antivirus disabler dropper

Glupteba

RedLine payload

DcRat

Looks for VirtualBox Guest Additions in registry

Modifies Windows Firewall

Looks for VMWare Tools registry key

Downloads MZ/PE file

Checks BIOS information in registry

Windows security modification

Loads dropped DLL

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Reads user/profile data of local email clients

.NET Reactor proctector

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Maps connected drives based on registry

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Enumerates system info in registry

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 12:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 12:56

Reported

2023-10-16 03:41

Platform

win10v2004-20230915-en

Max time kernel

111s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5D96.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4B74.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe N/A
N/A N/A C:\ProgramData\vhvd\ftjha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\315D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3660.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3855.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\448C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4836.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53B2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wiruura N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3855.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2B70.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3200 set thread context of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 set thread context of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 set thread context of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4468 set thread context of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2176 set thread context of 4552 N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5112 set thread context of 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1044 set thread context of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4116 set thread context of 1672 N/A C:\Users\Admin\AppData\Local\Temp\315D.exe C:\Users\Admin\AppData\Local\Temp\448C.exe
PID 3416 set thread context of 4816 N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3592 set thread context of 2020 N/A C:\Users\Admin\AppData\Local\Temp\3660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5728 set thread context of 5404 N/A C:\Users\Admin\AppData\Local\Temp\53B2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 6712 set thread context of 6848 N/A C:\Users\Admin\AppData\Local\Temp\861E.exe C:\Users\Admin\AppData\Local\Temp\861E.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\ftjha.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Tasks\ftjha.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\315D.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3660.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\448C.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000b79c71c918a3d76dc3b101edff4b2ce3bcd2cd429ccacea87947567cb2532b6d000000000e8000000002000020000000ef04ce7c56933da32db2f120dc51428bd1b4be8a5a714398dd433ea7ff5469b520000000f6fe2a38fbe4185b57e5d896e2caeed4dd91bcb02a35fa3b48ab60640a86295040000000340bf24fe7b65a0471c04c345551d7595b629c9c454595e45d4159eab7bb026dbde6b046299ccbaf06b281591d085bff5c45dc3f027de9d6fa0fd303a3ca6282 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b030000000002000000000010660000000100002000000058974afa91b244fd8628ae5e3510cb223f6b20458c95d1b1fc25c5ca5ee0990d000000000e80000000020000200000001f29e19de72036fed4a25f6de7f956a9fdd04b2797f316edd51abb3cc2ea904b200000007a7ab60f6a24e88cffb9e55be36316852aa66906eadf32049ac8f5b6986ec88b40000000ce05db26b6b47eb1ac89d4fc92f7e144940fb8e6838a7b3a4780c4ea7b24580318bb02a315f19532ec365dcd2a85c220f0f903e920a32f71631efcfbc119f98e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064034" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1715431383" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1715491588" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4018136de2ffd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F8FA320-6BD5-11EE-B0C5-CE3E7C77A9B8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404192528" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f8056de2ffd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2890696111-2332180956-3312704074-1000\{65CB7380-9E2C-4167-A5B6-565BBC4914A4} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\861E.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\861E.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3200 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1972 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
PID 1972 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
PID 1972 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
PID 3940 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
PID 3940 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
PID 3940 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
PID 1596 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
PID 1596 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
PID 1596 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
PID 2260 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
PID 2260 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
PID 2260 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
PID 4140 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
PID 4140 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
PID 4140 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4140 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
PID 4140 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
PID 4140 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2116 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
PID 2260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
PID 2260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
PID 4764 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4764 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe

"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3200 -ip 3200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2752 -ip 2752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 572

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2176 -ip 2176

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 592

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1276 -ip 1276

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 148

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2968 -ip 2968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4048 CREDAT:17410 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\2B70.exe

C:\Users\Admin\AppData\Local\Temp\2B70.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4916 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33A0.bat" "

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe

C:\Users\Admin\AppData\Local\Temp\315D.exe

C:\Users\Admin\AppData\Local\Temp\315D.exe

C:\ProgramData\vhvd\ftjha.exe

C:\ProgramData\vhvd\ftjha.exe start2

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe

C:\Users\Admin\AppData\Local\Temp\3660.exe

C:\Users\Admin\AppData\Local\Temp\3660.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4116 -ip 4116

C:\Users\Admin\AppData\Local\Temp\3855.exe

C:\Users\Admin\AppData\Local\Temp\3855.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 588

C:\Users\Admin\AppData\Local\Temp\3D19.exe

C:\Users\Admin\AppData\Local\Temp\3D19.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 140

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

C:\Users\Admin\AppData\Local\Temp\448C.exe

C:\Users\Admin\AppData\Local\Temp\448C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\4836.exe

C:\Users\Admin\AppData\Local\Temp\4836.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb51fb46f8,0x7ffb51fb4708,0x7ffb51fb4718

C:\Users\Admin\AppData\Local\Temp\4B74.exe

C:\Users\Admin\AppData\Local\Temp\4B74.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1672 -ip 1672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51fb46f8,0x7ffb51fb4708,0x7ffb51fb4718

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\53B2.exe

C:\Users\Admin\AppData\Local\Temp\53B2.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\5D96.exe

C:\Users\Admin\AppData\Local\Temp\5D96.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2075902340006187731,2325420606691374785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,2075902340006187731,2325420606691374785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\861E.exe

C:\Users\Admin\AppData\Local\Temp\861E.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\861E.exe

C:\Users\Admin\AppData\Local\Temp\861E.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SYSTEM32\cmd.exe

cmd /c

C:\Windows\system32\runas.exe

runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\861E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Skype.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM browser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iridium.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM uran.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM epic.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM sputnik.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 7star.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM centbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM amigo.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM torch.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM kometa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM orbitum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM viber.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM WhatsApp.exe.

C:\Windows\system32\taskkill.exe

taskkill /F /IM monero-wallet-gui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM coinomi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\taskkill.exe

taskkill /F /IM bytecoinwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM armoryqt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM atomicwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM exodus.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM electrum.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM dash-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM litecoin-qt.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Users\Admin\AppData\Roaming\wiruura

C:\Users\Admin\AppData\Roaming\wiruura

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4020 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\ProgramData\vhvd\ftjha.exe

C:\ProgramData\vhvd\ftjha.exe start2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 transfer.sh udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.208.106:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
IT 185.196.9.65:80 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 85.209.176.128 tcp
US 8.8.8.8:53 128.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 apis.google.com udp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
N/A 127.0.0.1:3389 tcp
US 8.8.8.8:53 97fe3723-66d6-4055-b797-27af2a40d424.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server10.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.108:443 server10.statsexplorer.org tcp
JP 172.217.213.127:19302 stun4.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 127.213.217.172.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
BG 185.82.216.108:443 server10.statsexplorer.org tcp

Files

memory/1972-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1972-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1972-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/1972-3-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe

MD5 73af5a77a25d235b1a168512abd1e0b2
SHA1 921cdfc832a60984b801378833f3d6f8d005ce64
SHA256 43cdfd8727ec4397246c7f97d75dfed4f00c8149da3b5c7c33bd07788f477b4b
SHA512 482c22be6322dbc731509150e1077fcc9ae11af6186851d9cbe1780330a31e040ee538394509e9b4cd65d1e1b377eded0254586a34ca843ee82442342168ab2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe

MD5 73af5a77a25d235b1a168512abd1e0b2
SHA1 921cdfc832a60984b801378833f3d6f8d005ce64
SHA256 43cdfd8727ec4397246c7f97d75dfed4f00c8149da3b5c7c33bd07788f477b4b
SHA512 482c22be6322dbc731509150e1077fcc9ae11af6186851d9cbe1780330a31e040ee538394509e9b4cd65d1e1b377eded0254586a34ca843ee82442342168ab2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe

MD5 2a87c881bce59b82bde7d2bd9e5a2cab
SHA1 54c516164dffb257732d0b5de1807ed13cc9ea36
SHA256 4a64df533782075e03f747fd5e6c7dff482ada1e27f11b8fd6c44ce7c24e4e6c
SHA512 5ab3928e86ba7b199b6ca8eaee39b11ad35b1f28a5ec21c60c9c3c5c694c62981554cba3acae6c8dbb5aa85d71812e530312737ecca6651dddcfb2b54b59a1b8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe

MD5 2a87c881bce59b82bde7d2bd9e5a2cab
SHA1 54c516164dffb257732d0b5de1807ed13cc9ea36
SHA256 4a64df533782075e03f747fd5e6c7dff482ada1e27f11b8fd6c44ce7c24e4e6c
SHA512 5ab3928e86ba7b199b6ca8eaee39b11ad35b1f28a5ec21c60c9c3c5c694c62981554cba3acae6c8dbb5aa85d71812e530312737ecca6651dddcfb2b54b59a1b8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe

MD5 863024796e1e73fe51fea2ed0ab41bd7
SHA1 477fb4bb1c57284bdd1fc7b2fa759c4065c09aa5
SHA256 b6a48a02e8916fd26a4d8a66441b342b3a7ad7d17707ead47f7c076501bccc0e
SHA512 3e062a13efdd8142b5006fd07eadadca11cf8070117ae1e168f3eb12dabf92f1423b0f23ed5f775e7e8370febbee27c3fded62d8dd6b9e3b2482ec741e2354b0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe

MD5 863024796e1e73fe51fea2ed0ab41bd7
SHA1 477fb4bb1c57284bdd1fc7b2fa759c4065c09aa5
SHA256 b6a48a02e8916fd26a4d8a66441b342b3a7ad7d17707ead47f7c076501bccc0e
SHA512 3e062a13efdd8142b5006fd07eadadca11cf8070117ae1e168f3eb12dabf92f1423b0f23ed5f775e7e8370febbee27c3fded62d8dd6b9e3b2482ec741e2354b0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe

MD5 449440907fb043910a2386270a21c1cb
SHA1 e57e9b48b7481b111fe21f1d677cfe7eb7bb330f
SHA256 3b9ad0b8ffbde901bbe5b629e71cf633e3b1518878d4f4675ac1a488e0688dc8
SHA512 66cea07f4463a41a45d50cfbd0d60e794bbb3cef131aaa9fa5b2a000c133e958c5201635ff90f09d7ae5cb171b65ab6975bec46e6deca421e94e2f9f839304f4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe

MD5 449440907fb043910a2386270a21c1cb
SHA1 e57e9b48b7481b111fe21f1d677cfe7eb7bb330f
SHA256 3b9ad0b8ffbde901bbe5b629e71cf633e3b1518878d4f4675ac1a488e0688dc8
SHA512 66cea07f4463a41a45d50cfbd0d60e794bbb3cef131aaa9fa5b2a000c133e958c5201635ff90f09d7ae5cb171b65ab6975bec46e6deca421e94e2f9f839304f4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe

MD5 2fba4bafa19f78d05098f7067d1b0420
SHA1 942a08102ceec9d800e3a3d2832403a62fb24da9
SHA256 27761c9dd439d8be271ac4b0ff485caafc74fd29be1e7c7b1c03179dff62654c
SHA512 c294d8c648fe521fbd01379b708a3b4474b17848c81d113bcdad9a391095b3d6ba1457f9f3c2974a09db34cf64ae82413bb1f2ad5cbe8d3617822602032b3f62

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe

MD5 2fba4bafa19f78d05098f7067d1b0420
SHA1 942a08102ceec9d800e3a3d2832403a62fb24da9
SHA256 27761c9dd439d8be271ac4b0ff485caafc74fd29be1e7c7b1c03179dff62654c
SHA512 c294d8c648fe521fbd01379b708a3b4474b17848c81d113bcdad9a391095b3d6ba1457f9f3c2974a09db34cf64ae82413bb1f2ad5cbe8d3617822602032b3f62

memory/2072-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2072-40-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe

MD5 d95d3929186b0cf20b5c75260cfd9365
SHA1 9d9a2344308125504276f1c6dc496c816ce5fe6d
SHA256 28e3b465490dc02c0900d0a7d34956a267a502d05af35021c73b6c2f9cc435ac
SHA512 10d806c04dccd7e1764a976967128313c54e52917cf65c1e5e1afecc67c73b1396bac239bac953d7141691810157a7326c6d6c2f1b6273cbe168a4e56c532ce0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe

MD5 d95d3929186b0cf20b5c75260cfd9365
SHA1 9d9a2344308125504276f1c6dc496c816ce5fe6d
SHA256 28e3b465490dc02c0900d0a7d34956a267a502d05af35021c73b6c2f9cc435ac
SHA512 10d806c04dccd7e1764a976967128313c54e52917cf65c1e5e1afecc67c73b1396bac239bac953d7141691810157a7326c6d6c2f1b6273cbe168a4e56c532ce0

memory/2752-44-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2752-46-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2752-45-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2752-48-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe

MD5 d33131e4f9719a7db6d73daad3d9d424
SHA1 872abbb1b57b812cd448c5c615ef25cc29ee71e4
SHA256 a8f86b4e7cdaf77c62eadd46b7472b45bad6490d0bdbbb581ad5643ebb52a31b
SHA512 0e2149ca74056ae9fbf89bfd2edc77e397faa2ac911ba459161dd22a6865967419af11d1713c5875a549e6cd33684a61fdc1e2a6a628c63925cf119d1839852e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe

MD5 d33131e4f9719a7db6d73daad3d9d424
SHA1 872abbb1b57b812cd448c5c615ef25cc29ee71e4
SHA256 a8f86b4e7cdaf77c62eadd46b7472b45bad6490d0bdbbb581ad5643ebb52a31b
SHA512 0e2149ca74056ae9fbf89bfd2edc77e397faa2ac911ba459161dd22a6865967419af11d1713c5875a549e6cd33684a61fdc1e2a6a628c63925cf119d1839852e

memory/5056-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5056-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe

MD5 46de1fa1891852be54c43db9350bd542
SHA1 f55345533ddc021f184a1f4a50460476bb98d75d
SHA256 a472133e987c63feae2533ed42dc74e26d450387506d87c25ee24d61a0ab31ac
SHA512 2e1f6a049a07d0b4421a37aa26a8053db86bfe8ac96d76c6875b91d047cc26a8f92e6156b47b12c4c6a69c1d062c40f520dde6c1b75f5e88a350806f372691b9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe

MD5 46de1fa1891852be54c43db9350bd542
SHA1 f55345533ddc021f184a1f4a50460476bb98d75d
SHA256 a472133e987c63feae2533ed42dc74e26d450387506d87c25ee24d61a0ab31ac
SHA512 2e1f6a049a07d0b4421a37aa26a8053db86bfe8ac96d76c6875b91d047cc26a8f92e6156b47b12c4c6a69c1d062c40f520dde6c1b75f5e88a350806f372691b9

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/2140-74-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3624-76-0x0000000002B80000-0x0000000002BB6000-memory.dmp

memory/3624-75-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/2140-77-0x00000000054B0000-0x00000000054B6000-memory.dmp

memory/2140-78-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/1972-85-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3624-88-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3624-87-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3624-86-0x0000000005770000-0x0000000005D98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/3624-95-0x0000000005600000-0x0000000005622000-memory.dmp

memory/2140-96-0x0000000005D70000-0x0000000006388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3a5jjfvn.g1a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2140-100-0x0000000005860000-0x000000000596A000-memory.dmp

memory/3624-97-0x0000000005E10000-0x0000000005E76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 e2653ea779dfa83d932a209e83766279
SHA1 30df9859ac93992ddf916c052402365c22019ae6
SHA256 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c
SHA512 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6

memory/2140-122-0x0000000005800000-0x000000000583C000-memory.dmp

memory/5056-119-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2140-117-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

memory/3624-110-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/2140-105-0x00000000057A0000-0x00000000057B2000-memory.dmp

memory/2632-104-0x0000000002680000-0x0000000002696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

memory/3624-138-0x0000000006000000-0x0000000006354000-memory.dmp

memory/4552-140-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2072-139-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 e92f0e5c0acbede9451b1dc8d95f056c
SHA1 f12699dc9e95f7d74109eebb8e9ab9e559bdf525
SHA256 b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce
SHA512 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe

MD5 b577757a01cb47bdcd0fcde5c14d8d9c
SHA1 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd
SHA256 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534
SHA512 aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe

MD5 b577757a01cb47bdcd0fcde5c14d8d9c
SHA1 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd
SHA256 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534
SHA512 aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f

memory/2140-168-0x0000000005970000-0x00000000059BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe

MD5 0a82f72da3cd8178272bbdc1011f48d8
SHA1 3701c0cfb04f3edcdf9b8837a708cdba9da2a100
SHA256 b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759
SHA512 f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe

MD5 0a82f72da3cd8178272bbdc1011f48d8
SHA1 3701c0cfb04f3edcdf9b8837a708cdba9da2a100
SHA256 b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759
SHA512 f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/1276-177-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1276-178-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1276-179-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1276-181-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe

MD5 69379446749390eb632eae36fe81cc84
SHA1 c6bb099e3a391b5cc6ddc007571d439db2233ea3
SHA256 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233
SHA512 a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe

MD5 69379446749390eb632eae36fe81cc84
SHA1 c6bb099e3a391b5cc6ddc007571d439db2233ea3
SHA256 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233
SHA512 a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe

MD5 2ddfedb3c1d3451453f626af981a42bd
SHA1 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe
SHA256 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a
SHA512 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9

memory/1972-202-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe

MD5 2ddfedb3c1d3451453f626af981a42bd
SHA1 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe
SHA256 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a
SHA512 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9

memory/3624-204-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/2968-208-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2072-207-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/2968-209-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2968-211-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/2632-213-0x0000000002720000-0x0000000002736000-memory.dmp

memory/4552-214-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe

MD5 02bb293d4d6bc0af5a2858909dccd5f9
SHA1 f39ed285b4265f8b1792cb0bbe94cd5ae617a13b
SHA256 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e
SHA512 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe

MD5 02bb293d4d6bc0af5a2858909dccd5f9
SHA1 f39ed285b4265f8b1792cb0bbe94cd5ae617a13b
SHA256 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e
SHA512 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81

memory/3648-220-0x0000000000960000-0x000000000099E000-memory.dmp

memory/3624-221-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/2140-222-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/3648-223-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/3648-224-0x0000000007C60000-0x0000000008204000-memory.dmp

memory/3648-225-0x0000000007750000-0x00000000077E2000-memory.dmp

memory/3648-226-0x0000000007700000-0x0000000007710000-memory.dmp

memory/3624-230-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3624-232-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3624-233-0x0000000002D70000-0x0000000002D80000-memory.dmp

memory/3648-231-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/3624-237-0x0000000007740000-0x00000000077D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

memory/3624-245-0x00000000069E0000-0x0000000006A02000-memory.dmp

memory/3624-238-0x0000000006970000-0x000000000698A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/2140-252-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/3624-255-0x000000007F340000-0x000000007F350000-memory.dmp

memory/3624-256-0x0000000007820000-0x0000000007852000-memory.dmp

memory/3624-257-0x000000006C700000-0x000000006C74C000-memory.dmp

memory/3624-267-0x0000000007800000-0x000000000781E000-memory.dmp

memory/3624-268-0x0000000007860000-0x0000000007903000-memory.dmp

memory/3624-269-0x00000000089C0000-0x000000000903A000-memory.dmp

memory/3624-270-0x00000000079F0000-0x00000000079FA000-memory.dmp

memory/3624-271-0x0000000007B50000-0x0000000007B61000-memory.dmp

memory/3648-272-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/3624-273-0x0000000007B90000-0x0000000007B9E000-memory.dmp

memory/3624-274-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

memory/3624-275-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/3624-276-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

memory/3624-280-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/3648-282-0x0000000007700000-0x0000000007710000-memory.dmp

\??\pipe\crashpad_1040_IGEFQDNYJLAXUYYS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\2B70.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\Users\Admin\AppData\Local\Temp\2B70.exe

MD5 ea268ea4d55e60f0f1ec5bb34e0e03c1
SHA1 14a84040962e8e267f23e469041fcfb2299fed21
SHA256 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5
SHA512 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe

MD5 7da9d23e390d389c223ee210c1d44cd5
SHA1 419db1be012ffe1b300dbf4bf2d5dd2077034414
SHA256 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a
SHA512 bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5

C:\ProgramData\vhvd\ftjha.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

MD5 0a82f72da3cd8178272bbdc1011f48d8
SHA1 3701c0cfb04f3edcdf9b8837a708cdba9da2a100
SHA256 b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759
SHA512 f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed

C:\Users\Admin\AppData\Local\Temp\315D.exe

MD5 e1fb9c32ee188e153ec4219285a696c2
SHA1 0f160b5ac9ffc7cd9079080f54601f70d05570de
SHA256 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5
SHA512 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 aab2c0ac341d244950bd1fc232f6cd54
SHA1 024cc43041e8f4e0a113e1c5eafa28dc7afe778d
SHA256 a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd
SHA512 8bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe

MD5 69379446749390eb632eae36fe81cc84
SHA1 c6bb099e3a391b5cc6ddc007571d439db2233ea3
SHA256 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233
SHA512 a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fa490bcfae422ab5e22cff35fd9d1448
SHA1 1b1e451fcc3fd6a34d317f8cacbaedec44229f5b
SHA256 0f3f862bf8aae953e21ac9b60b2f6a4611e3dd9fd824e3d454707252a4a39296
SHA512 e65c85f7afb1cc21395cf0f576b1434f252a57877103e18e2205311baf35e6b7563d1de8201060052369cd45cc90f74c8f9d88f9cf92c81d659212ba35765f09

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

MD5 0a82f72da3cd8178272bbdc1011f48d8
SHA1 3701c0cfb04f3edcdf9b8837a708cdba9da2a100
SHA256 b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759
SHA512 f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe

MD5 0a82f72da3cd8178272bbdc1011f48d8
SHA1 3701c0cfb04f3edcdf9b8837a708cdba9da2a100
SHA256 b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759
SHA512 f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

MD5 b577757a01cb47bdcd0fcde5c14d8d9c
SHA1 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd
SHA256 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534
SHA512 aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

MD5 b577757a01cb47bdcd0fcde5c14d8d9c
SHA1 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd
SHA256 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534
SHA512 aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f

C:\ProgramData\vhvd\ftjha.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe

MD5 b577757a01cb47bdcd0fcde5c14d8d9c
SHA1 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd
SHA256 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534
SHA512 aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe

MD5 02bb293d4d6bc0af5a2858909dccd5f9
SHA1 f39ed285b4265f8b1792cb0bbe94cd5ae617a13b
SHA256 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e
SHA512 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe

MD5 2ddfedb3c1d3451453f626af981a42bd
SHA1 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe
SHA256 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a
SHA512 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9

memory/1672-375-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1672-376-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1672-377-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5068-380-0x0000000002360000-0x0000000002380000-memory.dmp

memory/5068-383-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/4816-387-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4816-384-0x0000000000400000-0x0000000000432000-memory.dmp

memory/5068-382-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/5068-388-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/5068-385-0x0000000004A70000-0x0000000004A80000-memory.dmp

memory/4816-391-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2020-392-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 af1f757c481bf335dd152a603f85f0e3
SHA1 c8f0477f4fdc4d7ddc128de1cfddcaa360f1c771
SHA256 e661973caa2770f00560fa7e186ca91c36709d0965376e5fb158623fde94c820
SHA512 7a90762c2b64d221da08ea48deebdf681d9defca78b829d3f9a91a6a49888d2276dbf027aa4960dcbba0064ea4bd43f00442ae340a7a64ebde15c6c2fdc9340f

memory/5068-398-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d4f83de7cfdd59b7073d9dda672d24ed
SHA1 26a1aead0d81ee92a002608e6aeaed2ea742d0f1
SHA256 731780bb2064b78442302dcb9b12c011e6ba236b2f0f3ab599797288f89729de
SHA512 76a9334a0884fd5e4f913f0632e5036aa143a34ceaee493724fb76fcaa022d0b211a9b0fd9319bb97cebdc308b16995d20e92330e07d7c71058ba5cfd1da0c11

memory/5068-399-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-408-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-411-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-414-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-417-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-419-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-421-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-424-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-426-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-430-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-428-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-433-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5068-436-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XE9C1B9R\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 274208e27f8c5aad0b595df33e456414
SHA1 068cda45b5fcf9fd1789a152d759381daa36abd5
SHA256 bb0130c34c8b56817ebbdc0394782b800bda7dcb51a58793b5dc02d1368b3f24
SHA512 ed7837211b1842286483eaeffa430be9985751efea0729b511a80b4aaabb6fe797bc4ff0857dee5c374eb5a6dd54cc5c62ce9ee57d88f90ce51bec02155bed0c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 038202ce05578f1d1e40639a808174d5
SHA1 f9b239d17ffb3563b7847e47c0c1ab191163a92f
SHA256 52d79bba813c43787498040b9cfc1992f9e0bcb8fa76a47200403b197a4abc65
SHA512 d913c9eaf85b0e6ee37005d48b8aa4af21423866e4a23d7644846442e2647c6069d8211c3f9478ef489b50772c429ef0119b6e564628b09d409c901e262c558a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 25e6307b2b5e5f1c39d542d1eba09ecc
SHA1 478336bdc3606faab5b7446cb058c19abc95d02f
SHA256 14fe6a31d1a5d268c0a0f1fe85cb51863fed3b1c32d6e1202d2d8627896cb252
SHA512 9c00070b51d2f3688925d40787674a945148ef00d28f48912be1aa068ad703932bad7bd6d8def310007fb6f6db92915c945c55975495be6faa16f7889f68822b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c71a7e4ed6d19c53c9b897039d6f3db1
SHA1 1b43c15b27d197bf13fd17fab075616d0913aea7
SHA256 0016d04d70c9941e29f21645441ff3ef5a1ced1e8ba2ad42dcaba4f49dfd6209
SHA512 6ec0424acfb5d69f1ca322f054d55c5d22c0af242fdf0fbd96131599f2f1e4158dbbd89e1470ee4b7b9976c3df7b0d1e6302564b31cdfd3db1cc193bee9623e1

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0c459e65bcc6d38574f0c0d63a87088a
SHA1 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512 be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2ac6d3fcf6913b1a1ac100407e97fccb
SHA1 809f7d4ed348951b79745074487956255d1d0a9a
SHA256 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA512 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3cb6cb5f38a457812db51c73aa234019
SHA1 cc8d803612a5c66937efd9ddd915759a940c7d4e
SHA256 89b09035af8a5d3211b3f98b194c751da33dbac43516aef9940fbe2ff7e5093f
SHA512 0a63a10e390d1e255bb996d172f5a4930bd62b446547632f1334a328ed31446abaa6e5a0c6f04274568fe3dec38c5b60b02fd839f6dbb9ae4bd7baead83bc378

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9611.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e1af7e28d9fcfe747baeb4a630f5552e
SHA1 fa939327469030280af2a93ca9b167d53606bf61
SHA256 137a19f289c7334886066edb25d623143269c43b321a07e8790bc5710b8ce6c6
SHA512 d8b8d6a417951b49b62de9bc5d8ec48024ee97ebf6d72309d813a2ff0f7760d9c856f3848ce10e0a5db7c2fec406ecf4a704b8e3df945267520cdf56de29e4d9

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3b9b2cc984d6f2d0ba2a70758fb6352c
SHA1 2fd88b57f0b975889b0bf738acdf855a701db590
SHA256 594185e3b1aed50b43c745437a7a2f51bb140ea32d35a6f4f1bdf0d7e5d9fe3e
SHA512 bda7bbdc2612e8297207047e6d9e48536ec0b8e940eb3ad08e9eff1aba17255e61e2a17e945a28cbd00cdfb513605f50a349174bc69fbd5c3715e26223a0c460

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5db83e9d9f59fae11b488b49f6cd5bad
SHA1 a2ef9862e49a9ff155bf355d47b53a35ca2da66f
SHA256 6cacd9a3cb488381899a051cea097045a1b0a8eb8ae1af9c1c711faa84a93735
SHA512 7d54cdab4be5e34330562510f2d183f2f4a2be0b9b9b6af7a4b905d1ed37a5207e88fa087b3edb383e8cfa52b75f77ab46a788b6d9f5d4c824360f6064f14bf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 10f5b64000466c1e6da25fb5a0115924
SHA1 cb253bacf2b087c4040eb3c6a192924234f68639
SHA256 d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA512 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Temp\tmpBD58.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpBD8D.tmp

MD5 afa13f3defcd7a3454d106cf6abbf911
SHA1 c5bb2e376d265d252edbcea4252580c7f44ee741
SHA256 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0
SHA512 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203

C:\Users\Admin\AppData\Local\Temp\tmpBDF6.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpBE31.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpBE1C.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpBE5D.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\NL10.127.0.41\Google Chrome\Logins.txt

MD5 2a76b3e934844a2a713d509f764db633
SHA1 3c190760fc63f72319dcc8535626e5f4cf6f46ff
SHA256 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2
SHA512 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 298cdc50f61a239b0b2aed4a77dde871
SHA1 a1260046d27764570aa6bd68bfedd320e0df20a0
SHA256 21cd152d2cc0ae2ce208ba1b92b9c70f571a7200cbd092d4763fac5f3372617f
SHA512 adba3a38e0fcf5449228cb955c2439b9bb26201fd8ce4f9a4b9fa3e11a97781e51904bdee1fac6f5a8edb526b97965e79a0be9c15f4f748a63b7a24260ecd148

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\20c9112e-21c8-4b1c-a118-40f17e6f06bf.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GJQPG6SR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 12:56

Reported

2023-10-16 03:39

Platform

win7-20230831-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2088 wrote to memory of 2724 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe

"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 92

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 200

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-3-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-4-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2088-5-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-7-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-9-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2088-11-0x0000000000400000-0x000000000053D000-memory.dmp