Analysis Overview
SHA256
94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408
Threat Level: Known bad
The file 94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Healer
SystemBC
Detected google phishing page
Modifies Windows Defender Real-time Protection settings
RedLine
Amadey
Detects Healer an antivirus disabler dropper
Glupteba
RedLine payload
DcRat
Looks for VirtualBox Guest Additions in registry
Modifies Windows Firewall
Looks for VMWare Tools registry key
Downloads MZ/PE file
Checks BIOS information in registry
Windows security modification
Loads dropped DLL
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Reads user/profile data of local email clients
.NET Reactor proctector
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Maps connected drives based on registry
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Enumerates system info in registry
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 12:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 12:56
Reported
2023-10-16 03:41
Platform
win10v2004-20230915-en
Max time kernel
111s
Max time network
155s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detected google phishing page
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
SystemBC
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5D96.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oldplayer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4B74.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\448C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\448C.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\3855.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\2B70.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\ftjha.job | C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\Tasks\ftjha.job | C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b0300000000020000000000106600000001000020000000b79c71c918a3d76dc3b101edff4b2ce3bcd2cd429ccacea87947567cb2532b6d000000000e8000000002000020000000ef04ce7c56933da32db2f120dc51428bd1b4be8a5a714398dd433ea7ff5469b520000000f6fe2a38fbe4185b57e5d896e2caeed4dd91bcb02a35fa3b48ab60640a86295040000000340bf24fe7b65a0471c04c345551d7595b629c9c454595e45d4159eab7bb026dbde6b046299ccbaf06b281591d085bff5c45dc3f027de9d6fa0fd303a3ca6282 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000017e431d9a2c98c4f9f85fcb7a9559b030000000002000000000010660000000100002000000058974afa91b244fd8628ae5e3510cb223f6b20458c95d1b1fc25c5ca5ee0990d000000000e80000000020000200000001f29e19de72036fed4a25f6de7f956a9fdd04b2797f316edd51abb3cc2ea904b200000007a7ab60f6a24e88cffb9e55be36316852aa66906eadf32049ac8f5b6986ec88b40000000ce05db26b6b47eb1ac89d4fc92f7e144940fb8e6838a7b3a4780c4ea7b24580318bb02a315f19532ec365dcd2a85c220f0f903e920a32f71631efcfbc119f98e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064034" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1715431383" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1715491588" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064034" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4018136de2ffd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8F8FA320-6BD5-11EE-B0C5-CE3E7C77A9B8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404192528" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f8056de2ffd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2890696111-2332180956-3312704074-1000\{65CB7380-9E2C-4167-A5B6-565BBC4914A4} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\861E.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe
"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3200 -ip 3200
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 284
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3960 -ip 3960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2752 -ip 2752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4764 -ip 4764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 584
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 572
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2176 -ip 2176
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 592
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5112 -ip 5112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1276 -ip 1276
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 148
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 540
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4048 CREDAT:17410 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\2B70.exe
C:\Users\Admin\AppData\Local\Temp\2B70.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4916 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33A0.bat" "
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe
C:\Users\Admin\AppData\Local\Temp\315D.exe
C:\Users\Admin\AppData\Local\Temp\315D.exe
C:\ProgramData\vhvd\ftjha.exe
C:\ProgramData\vhvd\ftjha.exe start2
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
C:\Users\Admin\AppData\Local\Temp\3660.exe
C:\Users\Admin\AppData\Local\Temp\3660.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4116 -ip 4116
C:\Users\Admin\AppData\Local\Temp\3855.exe
C:\Users\Admin\AppData\Local\Temp\3855.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 272
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3592 -ip 3592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 588
C:\Users\Admin\AppData\Local\Temp\3D19.exe
C:\Users\Admin\AppData\Local\Temp\3D19.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 140
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe
C:\Users\Admin\AppData\Local\Temp\448C.exe
C:\Users\Admin\AppData\Local\Temp\448C.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\4836.exe
C:\Users\Admin\AppData\Local\Temp\4836.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb51fb46f8,0x7ffb51fb4708,0x7ffb51fb4718
C:\Users\Admin\AppData\Local\Temp\4B74.exe
C:\Users\Admin\AppData\Local\Temp\4B74.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1672 -ip 1672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 784
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb51fb46f8,0x7ffb51fb4708,0x7ffb51fb4718
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\53B2.exe
C:\Users\Admin\AppData\Local\Temp\53B2.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1872,i,196990598455796576,15689832477543235294,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\5D96.exe
C:\Users\Admin\AppData\Local\Temp\5D96.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,2075902340006187731,2325420606691374785,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,2075902340006187731,2325420606691374785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\861E.exe
C:\Users\Admin\AppData\Local\Temp\861E.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\861E.exe
C:\Users\Admin\AppData\Local\Temp\861E.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,2757246134285022480,15620304877676124667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Windows\SYSTEM32\cmd.exe
cmd /c
C:\Windows\system32\runas.exe
runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\861E.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Skype.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM browser.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iridium.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM uran.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM epic.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM sputnik.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 7star.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM centbrowser.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM amigo.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM torch.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM kometa.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /IM orbitum.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM viber.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM WhatsApp.exe.
C:\Windows\system32\taskkill.exe
taskkill /F /IM monero-wallet-gui.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM coinomi.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\taskkill.exe
taskkill /F /IM bytecoinwallet.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM armoryqt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM atomicwallet.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM exodus.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM electrum.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /IM dash-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM litecoin-qt.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
C:\Users\Admin\AppData\Roaming\wiruura
C:\Users\Admin\AppData\Roaming\wiruura
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb64b79758,0x7ffb64b79768,0x7ffb64b79778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4020 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3772 --field-trial-handle=2008,i,15029369365091787907,1384160071427387162,131072 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\ProgramData\vhvd\ftjha.exe
C:\ProgramData\vhvd\ftjha.exe start2
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.208.106:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| US | 8.8.8.8:53 | 88.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| IT | 185.196.9.65:80 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | 85.209.176.128 | tcp |
| US | 8.8.8.8:53 | 128.176.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| TR | 185.216.70.238:37515 | tcp | |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 157.240.221.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | apis.google.com | udp |
| DE | 172.217.23.206:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | 97fe3723-66d6-4055-b797-27af2a40d424.uuid.statsexplorer.org | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | server10.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
| JP | 172.217.213.127:19302 | stun4.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 127.213.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
Files
memory/1972-0-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1972-1-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1972-2-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1972-3-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
| MD5 | 73af5a77a25d235b1a168512abd1e0b2 |
| SHA1 | 921cdfc832a60984b801378833f3d6f8d005ce64 |
| SHA256 | 43cdfd8727ec4397246c7f97d75dfed4f00c8149da3b5c7c33bd07788f477b4b |
| SHA512 | 482c22be6322dbc731509150e1077fcc9ae11af6186851d9cbe1780330a31e040ee538394509e9b4cd65d1e1b377eded0254586a34ca843ee82442342168ab2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4457421.exe
| MD5 | 73af5a77a25d235b1a168512abd1e0b2 |
| SHA1 | 921cdfc832a60984b801378833f3d6f8d005ce64 |
| SHA256 | 43cdfd8727ec4397246c7f97d75dfed4f00c8149da3b5c7c33bd07788f477b4b |
| SHA512 | 482c22be6322dbc731509150e1077fcc9ae11af6186851d9cbe1780330a31e040ee538394509e9b4cd65d1e1b377eded0254586a34ca843ee82442342168ab2c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
| MD5 | 2a87c881bce59b82bde7d2bd9e5a2cab |
| SHA1 | 54c516164dffb257732d0b5de1807ed13cc9ea36 |
| SHA256 | 4a64df533782075e03f747fd5e6c7dff482ada1e27f11b8fd6c44ce7c24e4e6c |
| SHA512 | 5ab3928e86ba7b199b6ca8eaee39b11ad35b1f28a5ec21c60c9c3c5c694c62981554cba3acae6c8dbb5aa85d71812e530312737ecca6651dddcfb2b54b59a1b8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9128519.exe
| MD5 | 2a87c881bce59b82bde7d2bd9e5a2cab |
| SHA1 | 54c516164dffb257732d0b5de1807ed13cc9ea36 |
| SHA256 | 4a64df533782075e03f747fd5e6c7dff482ada1e27f11b8fd6c44ce7c24e4e6c |
| SHA512 | 5ab3928e86ba7b199b6ca8eaee39b11ad35b1f28a5ec21c60c9c3c5c694c62981554cba3acae6c8dbb5aa85d71812e530312737ecca6651dddcfb2b54b59a1b8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
| MD5 | 863024796e1e73fe51fea2ed0ab41bd7 |
| SHA1 | 477fb4bb1c57284bdd1fc7b2fa759c4065c09aa5 |
| SHA256 | b6a48a02e8916fd26a4d8a66441b342b3a7ad7d17707ead47f7c076501bccc0e |
| SHA512 | 3e062a13efdd8142b5006fd07eadadca11cf8070117ae1e168f3eb12dabf92f1423b0f23ed5f775e7e8370febbee27c3fded62d8dd6b9e3b2482ec741e2354b0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8963686.exe
| MD5 | 863024796e1e73fe51fea2ed0ab41bd7 |
| SHA1 | 477fb4bb1c57284bdd1fc7b2fa759c4065c09aa5 |
| SHA256 | b6a48a02e8916fd26a4d8a66441b342b3a7ad7d17707ead47f7c076501bccc0e |
| SHA512 | 3e062a13efdd8142b5006fd07eadadca11cf8070117ae1e168f3eb12dabf92f1423b0f23ed5f775e7e8370febbee27c3fded62d8dd6b9e3b2482ec741e2354b0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
| MD5 | 449440907fb043910a2386270a21c1cb |
| SHA1 | e57e9b48b7481b111fe21f1d677cfe7eb7bb330f |
| SHA256 | 3b9ad0b8ffbde901bbe5b629e71cf633e3b1518878d4f4675ac1a488e0688dc8 |
| SHA512 | 66cea07f4463a41a45d50cfbd0d60e794bbb3cef131aaa9fa5b2a000c133e958c5201635ff90f09d7ae5cb171b65ab6975bec46e6deca421e94e2f9f839304f4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6300316.exe
| MD5 | 449440907fb043910a2386270a21c1cb |
| SHA1 | e57e9b48b7481b111fe21f1d677cfe7eb7bb330f |
| SHA256 | 3b9ad0b8ffbde901bbe5b629e71cf633e3b1518878d4f4675ac1a488e0688dc8 |
| SHA512 | 66cea07f4463a41a45d50cfbd0d60e794bbb3cef131aaa9fa5b2a000c133e958c5201635ff90f09d7ae5cb171b65ab6975bec46e6deca421e94e2f9f839304f4 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
| MD5 | 2fba4bafa19f78d05098f7067d1b0420 |
| SHA1 | 942a08102ceec9d800e3a3d2832403a62fb24da9 |
| SHA256 | 27761c9dd439d8be271ac4b0ff485caafc74fd29be1e7c7b1c03179dff62654c |
| SHA512 | c294d8c648fe521fbd01379b708a3b4474b17848c81d113bcdad9a391095b3d6ba1457f9f3c2974a09db34cf64ae82413bb1f2ad5cbe8d3617822602032b3f62 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3614952.exe
| MD5 | 2fba4bafa19f78d05098f7067d1b0420 |
| SHA1 | 942a08102ceec9d800e3a3d2832403a62fb24da9 |
| SHA256 | 27761c9dd439d8be271ac4b0ff485caafc74fd29be1e7c7b1c03179dff62654c |
| SHA512 | c294d8c648fe521fbd01379b708a3b4474b17848c81d113bcdad9a391095b3d6ba1457f9f3c2974a09db34cf64ae82413bb1f2ad5cbe8d3617822602032b3f62 |
memory/2072-39-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2072-40-0x0000000073940000-0x00000000740F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
| MD5 | d95d3929186b0cf20b5c75260cfd9365 |
| SHA1 | 9d9a2344308125504276f1c6dc496c816ce5fe6d |
| SHA256 | 28e3b465490dc02c0900d0a7d34956a267a502d05af35021c73b6c2f9cc435ac |
| SHA512 | 10d806c04dccd7e1764a976967128313c54e52917cf65c1e5e1afecc67c73b1396bac239bac953d7141691810157a7326c6d6c2f1b6273cbe168a4e56c532ce0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7446754.exe
| MD5 | d95d3929186b0cf20b5c75260cfd9365 |
| SHA1 | 9d9a2344308125504276f1c6dc496c816ce5fe6d |
| SHA256 | 28e3b465490dc02c0900d0a7d34956a267a502d05af35021c73b6c2f9cc435ac |
| SHA512 | 10d806c04dccd7e1764a976967128313c54e52917cf65c1e5e1afecc67c73b1396bac239bac953d7141691810157a7326c6d6c2f1b6273cbe168a4e56c532ce0 |
memory/2752-44-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2752-46-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2752-45-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2752-48-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
| MD5 | d33131e4f9719a7db6d73daad3d9d424 |
| SHA1 | 872abbb1b57b812cd448c5c615ef25cc29ee71e4 |
| SHA256 | a8f86b4e7cdaf77c62eadd46b7472b45bad6490d0bdbbb581ad5643ebb52a31b |
| SHA512 | 0e2149ca74056ae9fbf89bfd2edc77e397faa2ac911ba459161dd22a6865967419af11d1713c5875a549e6cd33684a61fdc1e2a6a628c63925cf119d1839852e |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1750217.exe
| MD5 | d33131e4f9719a7db6d73daad3d9d424 |
| SHA1 | 872abbb1b57b812cd448c5c615ef25cc29ee71e4 |
| SHA256 | a8f86b4e7cdaf77c62eadd46b7472b45bad6490d0bdbbb581ad5643ebb52a31b |
| SHA512 | 0e2149ca74056ae9fbf89bfd2edc77e397faa2ac911ba459161dd22a6865967419af11d1713c5875a549e6cd33684a61fdc1e2a6a628c63925cf119d1839852e |
memory/5056-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5056-53-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6692191.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe
| MD5 | 46de1fa1891852be54c43db9350bd542 |
| SHA1 | f55345533ddc021f184a1f4a50460476bb98d75d |
| SHA256 | a472133e987c63feae2533ed42dc74e26d450387506d87c25ee24d61a0ab31ac |
| SHA512 | 2e1f6a049a07d0b4421a37aa26a8053db86bfe8ac96d76c6875b91d047cc26a8f92e6156b47b12c4c6a69c1d062c40f520dde6c1b75f5e88a350806f372691b9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7090902.exe
| MD5 | 46de1fa1891852be54c43db9350bd542 |
| SHA1 | f55345533ddc021f184a1f4a50460476bb98d75d |
| SHA256 | a472133e987c63feae2533ed42dc74e26d450387506d87c25ee24d61a0ab31ac |
| SHA512 | 2e1f6a049a07d0b4421a37aa26a8053db86bfe8ac96d76c6875b91d047cc26a8f92e6156b47b12c4c6a69c1d062c40f520dde6c1b75f5e88a350806f372691b9 |
C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1
| MD5 | 396a54bc76f9cce7fb36f4184dbbdb20 |
| SHA1 | bb4a6e14645646b100f72d6f41171cd9ed6d84c4 |
| SHA256 | 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a |
| SHA512 | 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe |
memory/2140-74-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3624-76-0x0000000002B80000-0x0000000002BB6000-memory.dmp
memory/3624-75-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/2140-77-0x00000000054B0000-0x00000000054B6000-memory.dmp
memory/2140-78-0x0000000073940000-0x00000000740F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | e2653ea779dfa83d932a209e83766279 |
| SHA1 | 30df9859ac93992ddf916c052402365c22019ae6 |
| SHA256 | 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c |
| SHA512 | 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6 |
memory/1972-85-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3624-88-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3624-87-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3624-86-0x0000000005770000-0x0000000005D98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | e2653ea779dfa83d932a209e83766279 |
| SHA1 | 30df9859ac93992ddf916c052402365c22019ae6 |
| SHA256 | 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c |
| SHA512 | 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6 |
memory/3624-95-0x0000000005600000-0x0000000005622000-memory.dmp
memory/2140-96-0x0000000005D70000-0x0000000006388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3a5jjfvn.g1a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2140-100-0x0000000005860000-0x000000000596A000-memory.dmp
memory/3624-97-0x0000000005E10000-0x0000000005E76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | e2653ea779dfa83d932a209e83766279 |
| SHA1 | 30df9859ac93992ddf916c052402365c22019ae6 |
| SHA256 | 4fc0e969b8367e21b734926d5d8c4618cbde095483ad6a03642d20ae5e27ba4c |
| SHA512 | 67ba9d47d0486c7e62faf85beb65056992da00abb27e9b74b90f03a92c6ecea7c31af18e5471b1475e57b6bc95b6ce10f24dd03d4e251aaac6d473ae35c476c6 |
memory/2140-122-0x0000000005800000-0x000000000583C000-memory.dmp
memory/5056-119-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2140-117-0x00000000054C0000-0x00000000054D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | ea268ea4d55e60f0f1ec5bb34e0e03c1 |
| SHA1 | 14a84040962e8e267f23e469041fcfb2299fed21 |
| SHA256 | 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5 |
| SHA512 | 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5 |
memory/3624-110-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/2140-105-0x00000000057A0000-0x00000000057B2000-memory.dmp
memory/2632-104-0x0000000002680000-0x0000000002696000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | ea268ea4d55e60f0f1ec5bb34e0e03c1 |
| SHA1 | 14a84040962e8e267f23e469041fcfb2299fed21 |
| SHA256 | 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5 |
| SHA512 | 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5 |
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | ea268ea4d55e60f0f1ec5bb34e0e03c1 |
| SHA1 | 14a84040962e8e267f23e469041fcfb2299fed21 |
| SHA256 | 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5 |
| SHA512 | 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5 |
memory/3624-138-0x0000000006000000-0x0000000006354000-memory.dmp
memory/4552-140-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2072-139-0x0000000073940000-0x00000000740F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | e92f0e5c0acbede9451b1dc8d95f056c |
| SHA1 | f12699dc9e95f7d74109eebb8e9ab9e559bdf525 |
| SHA256 | b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce |
| SHA512 | 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe
| MD5 | 7da9d23e390d389c223ee210c1d44cd5 |
| SHA1 | 419db1be012ffe1b300dbf4bf2d5dd2077034414 |
| SHA256 | 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a |
| SHA512 | bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MU0Vk9th.exe
| MD5 | 7da9d23e390d389c223ee210c1d44cd5 |
| SHA1 | 419db1be012ffe1b300dbf4bf2d5dd2077034414 |
| SHA256 | 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a |
| SHA512 | bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5 |
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | e92f0e5c0acbede9451b1dc8d95f056c |
| SHA1 | f12699dc9e95f7d74109eebb8e9ab9e559bdf525 |
| SHA256 | b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce |
| SHA512 | 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773 |
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | e92f0e5c0acbede9451b1dc8d95f056c |
| SHA1 | f12699dc9e95f7d74109eebb8e9ab9e559bdf525 |
| SHA256 | b86133a9e04b4620245d934e1222905db8c2bca65cf116b7baa00617ab920cce |
| SHA512 | 737fd11b47f42c18e0a5cadd5bdac6bb4d5e50b47dd571e8201593a705192f173da8121d8c7740b20b2b06870a180fbc8f54381388e82ffa09bae364f26f7773 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe
| MD5 | b577757a01cb47bdcd0fcde5c14d8d9c |
| SHA1 | 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd |
| SHA256 | 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534 |
| SHA512 | aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Kg5JV7VZ.exe
| MD5 | b577757a01cb47bdcd0fcde5c14d8d9c |
| SHA1 | 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd |
| SHA256 | 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534 |
| SHA512 | aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f |
memory/2140-168-0x0000000005970000-0x00000000059BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe
| MD5 | 0a82f72da3cd8178272bbdc1011f48d8 |
| SHA1 | 3701c0cfb04f3edcdf9b8837a708cdba9da2a100 |
| SHA256 | b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759 |
| SHA512 | f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\hr3Gd1wJ.exe
| MD5 | 0a82f72da3cd8178272bbdc1011f48d8 |
| SHA1 | 3701c0cfb04f3edcdf9b8837a708cdba9da2a100 |
| SHA256 | b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759 |
| SHA512 | f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9708782.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/1276-177-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1276-178-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1276-179-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1276-181-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe
| MD5 | 69379446749390eb632eae36fe81cc84 |
| SHA1 | c6bb099e3a391b5cc6ddc007571d439db2233ea3 |
| SHA256 | 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233 |
| SHA512 | a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\wO2jM2dA.exe
| MD5 | 69379446749390eb632eae36fe81cc84 |
| SHA1 | c6bb099e3a391b5cc6ddc007571d439db2233ea3 |
| SHA256 | 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233 |
| SHA512 | a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe
| MD5 | 2ddfedb3c1d3451453f626af981a42bd |
| SHA1 | 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe |
| SHA256 | 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a |
| SHA512 | 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9 |
memory/1972-202-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1mP48Ne7.exe
| MD5 | 2ddfedb3c1d3451453f626af981a42bd |
| SHA1 | 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe |
| SHA256 | 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a |
| SHA512 | 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9 |
memory/3624-204-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/2968-208-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2072-207-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/2968-209-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2968-211-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1
| MD5 | 396a54bc76f9cce7fb36f4184dbbdb20 |
| SHA1 | bb4a6e14645646b100f72d6f41171cd9ed6d84c4 |
| SHA256 | 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a |
| SHA512 | 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe |
memory/2632-213-0x0000000002720000-0x0000000002736000-memory.dmp
memory/4552-214-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe
| MD5 | 02bb293d4d6bc0af5a2858909dccd5f9 |
| SHA1 | f39ed285b4265f8b1792cb0bbe94cd5ae617a13b |
| SHA256 | 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e |
| SHA512 | 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2oA114KX.exe
| MD5 | 02bb293d4d6bc0af5a2858909dccd5f9 |
| SHA1 | f39ed285b4265f8b1792cb0bbe94cd5ae617a13b |
| SHA256 | 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e |
| SHA512 | 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81 |
memory/3648-220-0x0000000000960000-0x000000000099E000-memory.dmp
memory/3624-221-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/2140-222-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/3648-223-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/3648-224-0x0000000007C60000-0x0000000008204000-memory.dmp
memory/3648-225-0x0000000007750000-0x00000000077E2000-memory.dmp
memory/3648-226-0x0000000007700000-0x0000000007710000-memory.dmp
memory/3624-230-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3624-232-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3624-233-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3648-231-0x00000000077F0000-0x00000000077FA000-memory.dmp
memory/3624-237-0x0000000007740000-0x00000000077D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
memory/3624-245-0x00000000069E0000-0x0000000006A02000-memory.dmp
memory/3624-238-0x0000000006970000-0x000000000698A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
memory/2140-252-0x00000000054C0000-0x00000000054D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
memory/3624-255-0x000000007F340000-0x000000007F350000-memory.dmp
memory/3624-256-0x0000000007820000-0x0000000007852000-memory.dmp
memory/3624-257-0x000000006C700000-0x000000006C74C000-memory.dmp
memory/3624-267-0x0000000007800000-0x000000000781E000-memory.dmp
memory/3624-268-0x0000000007860000-0x0000000007903000-memory.dmp
memory/3624-269-0x00000000089C0000-0x000000000903A000-memory.dmp
memory/3624-270-0x00000000079F0000-0x00000000079FA000-memory.dmp
memory/3624-271-0x0000000007B50000-0x0000000007B61000-memory.dmp
memory/3648-272-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/3624-273-0x0000000007B90000-0x0000000007B9E000-memory.dmp
memory/3624-274-0x0000000007BA0000-0x0000000007BB4000-memory.dmp
memory/3624-275-0x0000000007BE0000-0x0000000007BFA000-memory.dmp
memory/3624-276-0x0000000007BD0000-0x0000000007BD8000-memory.dmp
memory/3624-280-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/3648-282-0x0000000007700000-0x0000000007710000-memory.dmp
\??\pipe\crashpad_1040_IGEFQDNYJLAXUYYS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\2B70.exe
| MD5 | ea268ea4d55e60f0f1ec5bb34e0e03c1 |
| SHA1 | 14a84040962e8e267f23e469041fcfb2299fed21 |
| SHA256 | 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5 |
| SHA512 | 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
| MD5 | 7da9d23e390d389c223ee210c1d44cd5 |
| SHA1 | 419db1be012ffe1b300dbf4bf2d5dd2077034414 |
| SHA256 | 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a |
| SHA512 | bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5 |
C:\Users\Admin\AppData\Local\Temp\2B70.exe
| MD5 | ea268ea4d55e60f0f1ec5bb34e0e03c1 |
| SHA1 | 14a84040962e8e267f23e469041fcfb2299fed21 |
| SHA256 | 514b3ef7e4d2db0be517a79278bb0810eb4d3b54d93e6cce1da7690b26be7ac5 |
| SHA512 | 41d57dc83787b66100ca8884a0ecbabacfdbb3509d1eea34ce597e6720c68673aee52bec6aa103446edef45dc9bd79963051a5af347a50dc1c0392ee501870b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
| MD5 | 7da9d23e390d389c223ee210c1d44cd5 |
| SHA1 | 419db1be012ffe1b300dbf4bf2d5dd2077034414 |
| SHA256 | 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a |
| SHA512 | bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MU0Vk9th.exe
| MD5 | 7da9d23e390d389c223ee210c1d44cd5 |
| SHA1 | 419db1be012ffe1b300dbf4bf2d5dd2077034414 |
| SHA256 | 5562616f58e6613da22f98c84441206fb2ff84ebd3f7a1f04979904c35c6974a |
| SHA512 | bfbd8cdd923e2e481a5ef909abc9c83c438d1a21230125eb540c3c1cdf7ceb11889551ae73cfb7a3c8eb2192c7d652398161b0806ef9654965da3b37279b5eb5 |
C:\ProgramData\vhvd\ftjha.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
| MD5 | 0a82f72da3cd8178272bbdc1011f48d8 |
| SHA1 | 3701c0cfb04f3edcdf9b8837a708cdba9da2a100 |
| SHA256 | b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759 |
| SHA512 | f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed |
C:\Users\Admin\AppData\Local\Temp\315D.exe
| MD5 | e1fb9c32ee188e153ec4219285a696c2 |
| SHA1 | 0f160b5ac9ffc7cd9079080f54601f70d05570de |
| SHA256 | 32baaeeebd843aebcbe2fc4943bd1185149c1b59c7af315a57a8024dbdb31be5 |
| SHA512 | 4cdfb7dd31e765abff55bd2cc755c66e2ef99732c04141093269b3bc174a79bd47dbff541b1767a14c236c67c8c45a554acfa1df16cf1c5813d8de243eda82eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | aab2c0ac341d244950bd1fc232f6cd54 |
| SHA1 | 024cc43041e8f4e0a113e1c5eafa28dc7afe778d |
| SHA256 | a9fc1e5ea4a6d391f361aafe110970589f2d25665e456f43c9f16fa0c716bddd |
| SHA512 | 8bd7c9d0a827e0444cff4201ccac65a024c8147300c5cdad85a32f409d25b4b37e6ba85598fbb3c1b87a731c260091d7ad2dedc3e062cc159cdb16e7022537d7 |
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\wO2jM2dA.exe
| MD5 | 69379446749390eb632eae36fe81cc84 |
| SHA1 | c6bb099e3a391b5cc6ddc007571d439db2233ea3 |
| SHA256 | 9f7ac3a89733b574e528bde53084b7db1b88ba25bb01e5218f5407c72b3d7233 |
| SHA512 | a883dc99e94ae7c98216562c135a1b603c22b33c88080c95364dab360c546f201becba930b3dd20f44f724b3e79c91487aeed9a015cc6c3435446431078e097a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | fa490bcfae422ab5e22cff35fd9d1448 |
| SHA1 | 1b1e451fcc3fd6a34d317f8cacbaedec44229f5b |
| SHA256 | 0f3f862bf8aae953e21ac9b60b2f6a4611e3dd9fd824e3d454707252a4a39296 |
| SHA512 | e65c85f7afb1cc21395cf0f576b1434f252a57877103e18e2205311baf35e6b7563d1de8201060052369cd45cc90f74c8f9d88f9cf92c81d659212ba35765f09 |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
| MD5 | 0a82f72da3cd8178272bbdc1011f48d8 |
| SHA1 | 3701c0cfb04f3edcdf9b8837a708cdba9da2a100 |
| SHA256 | b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759 |
| SHA512 | f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\hr3Gd1wJ.exe
| MD5 | 0a82f72da3cd8178272bbdc1011f48d8 |
| SHA1 | 3701c0cfb04f3edcdf9b8837a708cdba9da2a100 |
| SHA256 | b98296a06b9887bf154c23ad2a54312ec1f5f6b81295f9ba8f40d628b6ad4759 |
| SHA512 | f18114927aeedd22feb126d1f78512d848ef54c0574b776f9e95aa210540fc3796c23701b490ba350aecdf10b2270c8204465da8c465726a818fbaf9f44190ed |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
| MD5 | b577757a01cb47bdcd0fcde5c14d8d9c |
| SHA1 | 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd |
| SHA256 | 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534 |
| SHA512 | aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
| MD5 | b577757a01cb47bdcd0fcde5c14d8d9c |
| SHA1 | 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd |
| SHA256 | 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534 |
| SHA512 | aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f |
C:\ProgramData\vhvd\ftjha.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Kg5JV7VZ.exe
| MD5 | b577757a01cb47bdcd0fcde5c14d8d9c |
| SHA1 | 0f34a499b9d8ee929ac97d51ec0b6a96b9e75ebd |
| SHA256 | 4b7f310c8e6ae1ae8d6bd4736acea0688ae50c56b65168186304626a1bbc1534 |
| SHA512 | aa6e88bdf4cd11e0c661b90cce50a1555dd947bdf71e8a40b8069b7d9bd5afa6291a88392260a3948adb05bcbae3385b33dc650bafa4c8f63d9500bd5cb1d13f |
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2oA114KX.exe
| MD5 | 02bb293d4d6bc0af5a2858909dccd5f9 |
| SHA1 | f39ed285b4265f8b1792cb0bbe94cd5ae617a13b |
| SHA256 | 51f954c41b6cf94a2e01b9c19f0a5d8016e3d7bcf2d6219bbc9193c1180e562e |
| SHA512 | 18062c8826a63ff0ab5d0a7ff7b6c2900631b18203871d5a495ffd3866edf85d05e1109756061eca6a6c918afe6575acc79f1a4adda116e13d2d93d6dc49fa81 |
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1mP48Ne7.exe
| MD5 | 2ddfedb3c1d3451453f626af981a42bd |
| SHA1 | 73edfd89b2fd7bb919c5dd79add5a29aded1d4fe |
| SHA256 | 4c5659217b9e8f8f7f37cc45e0ad519719010597f07ecd738da927933a91ed2a |
| SHA512 | 1a3c55e40a7ed3386f102930d9c1746aaaa6ede52238a02ea963da968fa5686bfee122bd1cd95e00b9fe8ef178fa5b9b9fe1a1a976a407bf8aa0981f1e98c7d9 |
memory/1672-375-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1672-376-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1672-377-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5068-380-0x0000000002360000-0x0000000002380000-memory.dmp
memory/5068-383-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/4816-387-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4816-384-0x0000000000400000-0x0000000000432000-memory.dmp
memory/5068-382-0x0000000073940000-0x00000000740F0000-memory.dmp
memory/5068-388-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/5068-385-0x0000000004A70000-0x0000000004A80000-memory.dmp
memory/4816-391-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2020-392-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | af1f757c481bf335dd152a603f85f0e3 |
| SHA1 | c8f0477f4fdc4d7ddc128de1cfddcaa360f1c771 |
| SHA256 | e661973caa2770f00560fa7e186ca91c36709d0965376e5fb158623fde94c820 |
| SHA512 | 7a90762c2b64d221da08ea48deebdf681d9defca78b829d3f9a91a6a49888d2276dbf027aa4960dcbba0064ea4bd43f00442ae340a7a64ebde15c6c2fdc9340f |
memory/5068-398-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d4f83de7cfdd59b7073d9dda672d24ed |
| SHA1 | 26a1aead0d81ee92a002608e6aeaed2ea742d0f1 |
| SHA256 | 731780bb2064b78442302dcb9b12c011e6ba236b2f0f3ab599797288f89729de |
| SHA512 | 76a9334a0884fd5e4f913f0632e5036aa143a34ceaee493724fb76fcaa022d0b211a9b0fd9319bb97cebdc308b16995d20e92330e07d7c71058ba5cfd1da0c11 |
memory/5068-399-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-408-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-411-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-414-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-417-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-419-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-421-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-424-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-426-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-430-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-428-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-433-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5068-436-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XE9C1B9R\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 274208e27f8c5aad0b595df33e456414 |
| SHA1 | 068cda45b5fcf9fd1789a152d759381daa36abd5 |
| SHA256 | bb0130c34c8b56817ebbdc0394782b800bda7dcb51a58793b5dc02d1368b3f24 |
| SHA512 | ed7837211b1842286483eaeffa430be9985751efea0729b511a80b4aaabb6fe797bc4ff0857dee5c374eb5a6dd54cc5c62ce9ee57d88f90ce51bec02155bed0c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 038202ce05578f1d1e40639a808174d5 |
| SHA1 | f9b239d17ffb3563b7847e47c0c1ab191163a92f |
| SHA256 | 52d79bba813c43787498040b9cfc1992f9e0bcb8fa76a47200403b197a4abc65 |
| SHA512 | d913c9eaf85b0e6ee37005d48b8aa4af21423866e4a23d7644846442e2647c6069d8211c3f9478ef489b50772c429ef0119b6e564628b09d409c901e262c558a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 25e6307b2b5e5f1c39d542d1eba09ecc |
| SHA1 | 478336bdc3606faab5b7446cb058c19abc95d02f |
| SHA256 | 14fe6a31d1a5d268c0a0f1fe85cb51863fed3b1c32d6e1202d2d8627896cb252 |
| SHA512 | 9c00070b51d2f3688925d40787674a945148ef00d28f48912be1aa068ad703932bad7bd6d8def310007fb6f6db92915c945c55975495be6faa16f7889f68822b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c71a7e4ed6d19c53c9b897039d6f3db1 |
| SHA1 | 1b43c15b27d197bf13fd17fab075616d0913aea7 |
| SHA256 | 0016d04d70c9941e29f21645441ff3ef5a1ced1e8ba2ad42dcaba4f49dfd6209 |
| SHA512 | 6ec0424acfb5d69f1ca322f054d55c5d22c0af242fdf0fbd96131599f2f1e4158dbbd89e1470ee4b7b9976c3df7b0d1e6302564b31cdfd3db1cc193bee9623e1 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 0c459e65bcc6d38574f0c0d63a87088a |
| SHA1 | 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65 |
| SHA256 | 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4 |
| SHA512 | be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2ac6d3fcf6913b1a1ac100407e97fccb |
| SHA1 | 809f7d4ed348951b79745074487956255d1d0a9a |
| SHA256 | 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe |
| SHA512 | 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3cb6cb5f38a457812db51c73aa234019 |
| SHA1 | cc8d803612a5c66937efd9ddd915759a940c7d4e |
| SHA256 | 89b09035af8a5d3211b3f98b194c751da33dbac43516aef9940fbe2ff7e5093f |
| SHA512 | 0a63a10e390d1e255bb996d172f5a4930bd62b446547632f1334a328ed31446abaa6e5a0c6f04274568fe3dec38c5b60b02fd839f6dbb9ae4bd7baead83bc378 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 81e4fc7bd0ee078ccae9523fa5cb17a3 |
| SHA1 | 4d25ca2e8357dc2688477b45247d02a3967c98a4 |
| SHA256 | c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee |
| SHA512 | 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9611.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e1af7e28d9fcfe747baeb4a630f5552e |
| SHA1 | fa939327469030280af2a93ca9b167d53606bf61 |
| SHA256 | 137a19f289c7334886066edb25d623143269c43b321a07e8790bc5710b8ce6c6 |
| SHA512 | d8b8d6a417951b49b62de9bc5d8ec48024ee97ebf6d72309d813a2ff0f7760d9c856f3848ce10e0a5db7c2fec406ecf4a704b8e3df945267520cdf56de29e4d9 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3b9b2cc984d6f2d0ba2a70758fb6352c |
| SHA1 | 2fd88b57f0b975889b0bf738acdf855a701db590 |
| SHA256 | 594185e3b1aed50b43c745437a7a2f51bb140ea32d35a6f4f1bdf0d7e5d9fe3e |
| SHA512 | bda7bbdc2612e8297207047e6d9e48536ec0b8e940eb3ad08e9eff1aba17255e61e2a17e945a28cbd00cdfb513605f50a349174bc69fbd5c3715e26223a0c460 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5db83e9d9f59fae11b488b49f6cd5bad |
| SHA1 | a2ef9862e49a9ff155bf355d47b53a35ca2da66f |
| SHA256 | 6cacd9a3cb488381899a051cea097045a1b0a8eb8ae1af9c1c711faa84a93735 |
| SHA512 | 7d54cdab4be5e34330562510f2d183f2f4a2be0b9b9b6af7a4b905d1ed37a5207e88fa087b3edb383e8cfa52b75f77ab46a788b6d9f5d4c824360f6064f14bf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 10f5b64000466c1e6da25fb5a0115924 |
| SHA1 | cb253bacf2b087c4040eb3c6a192924234f68639 |
| SHA256 | d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b |
| SHA512 | 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Temp\tmpBD58.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpBD8D.tmp
| MD5 | afa13f3defcd7a3454d106cf6abbf911 |
| SHA1 | c5bb2e376d265d252edbcea4252580c7f44ee741 |
| SHA256 | 707fff65d2f00566f96afd5b2a0e1c0460367c4bc008e55b60739f046f46f2f0 |
| SHA512 | 570a13afeaa7452cb43528aff19c09bbc528c6b29f065e847e966bfd2cd8dc3cdc0637935e6f9ebfdde8019e5135ab01a3a18667e0ed8623ef8b3366492a6203 |
C:\Users\Admin\AppData\Local\Temp\tmpBDF6.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpBE31.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpBE1C.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmpBE5D.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\NL10.127.0.41\Google Chrome\Logins.txt
| MD5 | 2a76b3e934844a2a713d509f764db633 |
| SHA1 | 3c190760fc63f72319dcc8535626e5f4cf6f46ff |
| SHA256 | 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2 |
| SHA512 | 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 298cdc50f61a239b0b2aed4a77dde871 |
| SHA1 | a1260046d27764570aa6bd68bfedd320e0df20a0 |
| SHA256 | 21cd152d2cc0ae2ce208ba1b92b9c70f571a7200cbd092d4763fac5f3372617f |
| SHA512 | adba3a38e0fcf5449228cb955c2439b9bb26201fd8ce4f9a4b9fa3e11a97781e51904bdee1fac6f5a8edb526b97965e79a0be9c15f4f748a63b7a24260ecd148 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\20c9112e-21c8-4b1c-a118-40f17e6f06bf.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GJQPG6SR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 12:56
Reported
2023-10-16 03:39
Platform
win7-20230831-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2972 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe
"C:\Users\Admin\AppData\Local\Temp\94be62ba030b1fe5d4bc08713685483b052bf97db8ba42faa96086572b3b4408.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 92
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 200
Network
Files
memory/2088-0-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-2-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-3-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-4-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2088-5-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-1-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-7-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-9-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2088-11-0x0000000000400000-0x000000000053D000-memory.dmp