Malware Analysis Report

2024-11-30 23:23

Sample ID 231012-pb88bshe3y
Target b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d
SHA256 b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d
Tags
amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d

Threat Level: Known bad

The file b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer redline smokeloader systembc breha kukish prets backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan

RedLine

Amadey

SystemBC

Healer

SmokeLoader

RedLine payload

Glupteba

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

DcRat

Detected google phishing page

Looks for VirtualBox Guest Additions in registry

Modifies Windows Firewall

Looks for VMWare Tools registry key

Downloads MZ/PE file

Reads user/profile data of local email clients

Loads dropped DLL

Checks BIOS information in registry

.NET Reactor proctector

Uses the VBS compiler for execution

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Maps connected drives based on registry

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies registry class

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 12:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 12:10

Reported

2023-10-16 03:31

Platform

win7-20230831-en

Max time kernel

118s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2792 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\SysWOW64\WerFault.exe
PID 2792 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2900 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe

"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 92

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 200

Network

N/A

Files

memory/2624-3-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-5-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2624-4-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-7-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-9-0x0000000000400000-0x000000000053D000-memory.dmp

memory/2624-11-0x0000000000400000-0x000000000053D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 12:10

Reported

2023-10-16 03:31

Platform

win10v2004-20230915-en

Max time kernel

100s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\taskkill.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\taskkill.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\taskkill.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\taskkill.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\system32\taskkill.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Downloads MZ/PE file

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5D75.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4CD3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\53AC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5488.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\55B2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5A47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D75.exe N/A
N/A N/A C:\ProgramData\wlrlbt\kuemu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\695D.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4CD3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1680 set thread context of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 set thread context of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 set thread context of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 set thread context of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4480 set thread context of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4812 set thread context of 4292 N/A C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3984 set thread context of 1984 N/A C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2016 set thread context of 4212 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3468 set thread context of 1112 N/A C:\Users\Admin\AppData\Local\Temp\4F93.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4220 set thread context of 1300 N/A C:\Users\Admin\AppData\Local\Temp\53AC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4488 set thread context of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1860 set thread context of 1820 N/A C:\Users\Admin\AppData\Local\Temp\695D.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5696 set thread context of 6884 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\9198.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\kuemu.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Tasks\kuemu.job C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4F93.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\53AC.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\58DF.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064033" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064033" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000002f8159249a5f30899df8eceba9cfa80d8fdf9ff80bfcebb0ac3e1122102b4377000000000e8000000002000020000000c3e6f43c239185ae70bb6e988defcb18838364c792e486c96a5de2ec998aae1010000000c0b912ccd889532544d7418c61e3432740000000c906156e5cf6cf41b2d23e995cb783967c48cfda1c986c3e776ebd9d318fe5bd77133eceff41aa989f33b2b7ff6f435fd6acddd5efc135dbe1a4acc492a8f34e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "411050865" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "411050865" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064033" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000002819d7b2967715bceb2c7651b3240e1eb7ed0263eac348db1fdd8d838b0a0a30000000000e80000000020000200000008d64457ee229c91e9a1550098406355fdfa1b2dcb90247c7db85b109040e0800500000003b485846ef711d89fecf6a3d4d7c77c5aa5110a7bd096fde2b3dd22a77caa363e13de2e0d7a5be5d1a0eb1586685ee8e1327cf757345eda1fc7fb60b8178f8e78a45d1fc5a625ea0ee5fc330d2ab12c940000000db452879a9f316385ab1cd79bd5430aaa06b0b014e0e8ac874c07c768715b81474d116844f1fa842b60eca9b363144318d44f70a52a90406ad117db0dc931c79 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{436F55FE-6BD4-11EE-83FE-424EF1D7CB82} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "439590062" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045988481-1457812719-2617974652-1000\{67551DFF-951A-4136-B32D-862B75D2B923} C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\9198.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\9198.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5488.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5A47.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1680 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3944 wrote to memory of 4548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
PID 3944 wrote to memory of 4548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
PID 3944 wrote to memory of 4548 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
PID 4548 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
PID 4548 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
PID 4548 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
PID 4688 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
PID 4688 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
PID 4688 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
PID 3204 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
PID 3204 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
PID 3204 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
PID 1440 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
PID 1440 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
PID 1440 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1416 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
PID 1440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
PID 1440 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
PID 3204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
PID 3204 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
PID 4604 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4604 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4688 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
PID 4688 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
PID 4688 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
PID 4692 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 4692 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
PID 4692 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe

"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1680 -ip 1680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 676 -ip 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4064 -ip 4064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 548

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explonde.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4812 -ip 4812

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1984 -ip 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 160

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2016 -ip 2016

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 540

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"

C:\Users\Admin\AppData\Local\Temp\4CD3.exe

C:\Users\Admin\AppData\Local\Temp\4CD3.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

C:\Users\Admin\AppData\Local\Temp\4F93.exe

C:\Users\Admin\AppData\Local\Temp\4F93.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5169.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

C:\Users\Admin\AppData\Local\Temp\53AC.exe

C:\Users\Admin\AppData\Local\Temp\53AC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 272

C:\Users\Admin\AppData\Local\Temp\55B2.exe

C:\Users\Admin\AppData\Local\Temp\55B2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4220 -ip 4220

C:\Users\Admin\AppData\Local\Temp\58DF.exe

C:\Users\Admin\AppData\Local\Temp\58DF.exe

C:\Users\Admin\AppData\Local\Temp\5488.exe

C:\Users\Admin\AppData\Local\Temp\5488.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3468 -ip 3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\5A47.exe

C:\Users\Admin\AppData\Local\Temp\5A47.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1512 -ip 1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0xfc,0x7ffa8fc646f8,0x7ffa8fc64708,0x7ffa8fc64718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 148

C:\Users\Admin\AppData\Local\Temp\5D75.exe

C:\Users\Admin\AppData\Local\Temp\5D75.exe

C:\ProgramData\wlrlbt\kuemu.exe

C:\ProgramData\wlrlbt\kuemu.exe start2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4212 -ip 4212

C:\Users\Admin\AppData\Local\Temp\695D.exe

C:\Users\Admin\AppData\Local\Temp\695D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 784

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc646f8,0x7ffa8fc64708,0x7ffa8fc64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3356 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\7C0B.exe

C:\Users\Admin\AppData\Local\Temp\7C0B.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\9198.exe

C:\Users\Admin\AppData\Local\Temp\9198.exe

C:\Users\Admin\AppData\Roaming\cvcwrjw

C:\Users\Admin\AppData\Roaming\cvcwrjw

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4436 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\9198.exe

C:\Users\Admin\AppData\Local\Temp\9198.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\cmd.exe

cmd /c

C:\Windows\system32\runas.exe

runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\9198.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskkill.exe

taskkill /F /IM Skype.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM browser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iridium.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778

C:\Windows\system32\taskkill.exe

taskkill /F /IM uran.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM epic.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vivaldi.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM sputnik.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM 7star.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM centbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM amigo.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM torch.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM kometa.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM orbitum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM viber.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM WhatsApp.exe.

C:\Windows\system32\taskkill.exe

taskkill /F /IM monero-wallet-gui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM coinomi.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /IM bytecoinwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM armoryqt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM atomicwallet.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM exodus.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM electrum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dash-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM litecoin-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\ProgramData\wlrlbt\kuemu.exe

C:\ProgramData\wlrlbt\kuemu.exe start2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 85.209.176.128 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 128.176.209.85.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 172.67.75.172:443 api.ip.sb tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
DE 172.217.23.202:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 46.36.251.142.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 4242d6a6-87f1-4d2c-8db6-5b46837d51a5.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server15.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun3.l.google.com udp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
N/A 127.0.0.1:3389 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server15.statsexplorer.org tcp

Files

memory/3944-0-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3944-1-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3944-2-0x0000000000400000-0x000000000053D000-memory.dmp

memory/3944-3-0x0000000000400000-0x000000000053D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe

MD5 936970e378a3aff3db82c3aa3c260918
SHA1 a92b3dc2d920414d011130acdec3b15ee99d12b5
SHA256 3ab5368640fc91ec2bf070d6557de6e573c64535b64706ee4b212da33be1744e
SHA512 6c20aa935937ded851d4aa14d9292fd83f409288d431559ff3019e995841b8bb2592ae227a3bf653fd7697b269d3ef72f7b6ab65243b305446b0f5963783c368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe

MD5 936970e378a3aff3db82c3aa3c260918
SHA1 a92b3dc2d920414d011130acdec3b15ee99d12b5
SHA256 3ab5368640fc91ec2bf070d6557de6e573c64535b64706ee4b212da33be1744e
SHA512 6c20aa935937ded851d4aa14d9292fd83f409288d431559ff3019e995841b8bb2592ae227a3bf653fd7697b269d3ef72f7b6ab65243b305446b0f5963783c368

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe

MD5 371961674f9baf00d0681cf000352c56
SHA1 58b4ccd38f7c22b020f74103e152a4179b303551
SHA256 b8ad25c33ef0d7871f4835c2a2d215b85bdf0e4b5ee8166c62e161b29cfe0411
SHA512 7f1a38e1dc617e90b2594c805892f78fba247b4d9c0c44fe57b461e65eaf705a33a14bc0a5741f7f5dccba7fa940a2db717b30775dd26b5c7ec37bebc3ec42ec

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe

MD5 371961674f9baf00d0681cf000352c56
SHA1 58b4ccd38f7c22b020f74103e152a4179b303551
SHA256 b8ad25c33ef0d7871f4835c2a2d215b85bdf0e4b5ee8166c62e161b29cfe0411
SHA512 7f1a38e1dc617e90b2594c805892f78fba247b4d9c0c44fe57b461e65eaf705a33a14bc0a5741f7f5dccba7fa940a2db717b30775dd26b5c7ec37bebc3ec42ec

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe

MD5 01f4d197c02f1db661acc5d1a966d7be
SHA1 45b84854cfa8715ffbb65632f5d6dd1a1928ba10
SHA256 b201c21cd311d7c6f7437b330f5d44eb1284ac2d2eea98110ec09427e8b898b4
SHA512 5914c30af00908a92699abda6e1865b3a16c8705fa0c4630c23b7d2967a4790cbc994f05bf14e6461bacc24149285f258742eb644024a99acf34d6549d9567fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe

MD5 01f4d197c02f1db661acc5d1a966d7be
SHA1 45b84854cfa8715ffbb65632f5d6dd1a1928ba10
SHA256 b201c21cd311d7c6f7437b330f5d44eb1284ac2d2eea98110ec09427e8b898b4
SHA512 5914c30af00908a92699abda6e1865b3a16c8705fa0c4630c23b7d2967a4790cbc994f05bf14e6461bacc24149285f258742eb644024a99acf34d6549d9567fa

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe

MD5 d378528093ac8d36112695dedd14467e
SHA1 5244aa8304ab53a8965b5b7741b0b36bccc18e6e
SHA256 bed5dfffa8bc81337317892648affe16f64ba04c3a9ca3ea6ea6506c830fc2d3
SHA512 2aae3fab87abde88b1948c9e7ddae9579ee4844c75304ea64faa9064814672ffa611684d459bca21a6afc90da74c827cd9ec2e7f9c49001fb45063d73e588773

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe

MD5 d378528093ac8d36112695dedd14467e
SHA1 5244aa8304ab53a8965b5b7741b0b36bccc18e6e
SHA256 bed5dfffa8bc81337317892648affe16f64ba04c3a9ca3ea6ea6506c830fc2d3
SHA512 2aae3fab87abde88b1948c9e7ddae9579ee4844c75304ea64faa9064814672ffa611684d459bca21a6afc90da74c827cd9ec2e7f9c49001fb45063d73e588773

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe

MD5 c5e20b7589f18cf8fdbd0f936663a934
SHA1 eea0a6ab70157314289102f32fcab96feafb9a4e
SHA256 9e732cfa94e805485c916c71a67badc27dd9e071494156c60093871e74f38bc4
SHA512 544507f4143bdfb56ea27869827857294a1eaad53e59cb8acc202585bd7bad8755d6e1d0ca27985c0d486933a5f80f8b3f4a2491fb33504419074d3cbb4621e1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe

MD5 c5e20b7589f18cf8fdbd0f936663a934
SHA1 eea0a6ab70157314289102f32fcab96feafb9a4e
SHA256 9e732cfa94e805485c916c71a67badc27dd9e071494156c60093871e74f38bc4
SHA512 544507f4143bdfb56ea27869827857294a1eaad53e59cb8acc202585bd7bad8755d6e1d0ca27985c0d486933a5f80f8b3f4a2491fb33504419074d3cbb4621e1

memory/1636-39-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1636-40-0x0000000073FF0000-0x00000000747A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe

MD5 1d8738b6408875c98ecc722c79a44c2b
SHA1 2b13e9cfd7b86754991e3e24591d8f1f05721dce
SHA256 22feda81500bb6b14d8f4b88fb174350fe427d35ebabe00daaecc52e38e58ce3
SHA512 0de81a2d3e8deac73d9d8a927f1b844c61da926c70ef30a1757bd6ecb159ca53737e6f0d391712c575b7bd9541ca2e60be5c1424542a2691b22a6906192aa280

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe

MD5 1d8738b6408875c98ecc722c79a44c2b
SHA1 2b13e9cfd7b86754991e3e24591d8f1f05721dce
SHA256 22feda81500bb6b14d8f4b88fb174350fe427d35ebabe00daaecc52e38e58ce3
SHA512 0de81a2d3e8deac73d9d8a927f1b844c61da926c70ef30a1757bd6ecb159ca53737e6f0d391712c575b7bd9541ca2e60be5c1424542a2691b22a6906192aa280

memory/4064-44-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4064-45-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4064-46-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4064-48-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe

MD5 b23e4f1b59795f30f0de3d7f1c5e6b0f
SHA1 3e402dcabfc85582e42f801b6102f6d7d9a38a1a
SHA256 503d2d7d495d85d0b832d069439f31f605e683a94b434cc06255c818dcea8bd3
SHA512 5d20999393700e3ea570a3c6a2931bb4a45b54cd752195f014ad3ad7955805c4e77b55b9fa8ca0afa3c9b06b3ec99438a254e5fcd29311f3f3922efd554d6390

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe

MD5 b23e4f1b59795f30f0de3d7f1c5e6b0f
SHA1 3e402dcabfc85582e42f801b6102f6d7d9a38a1a
SHA256 503d2d7d495d85d0b832d069439f31f605e683a94b434cc06255c818dcea8bd3
SHA512 5d20999393700e3ea570a3c6a2931bb4a45b54cd752195f014ad3ad7955805c4e77b55b9fa8ca0afa3c9b06b3ec99438a254e5fcd29311f3f3922efd554d6390

memory/1044-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1044-53-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

MD5 c256a814d3f9d02d73029580dfe882b3
SHA1 e11e9ea937183139753f3b0d5e71c8301d000896
SHA256 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA512 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe

MD5 2140220b8e72308f35acc9c3e79ea4e4
SHA1 73c7a5c755b6d64faf75a3c527483113d9bedb26
SHA256 452c14c2a7a3f4d725d467db3c2b8840c2ed875c9cdd4172626fb45d5ac7b62c
SHA512 1da353ec2bf469cf6a9bb5b90f5b1b8d3fe2a084c71aa32526a7309e0f7755604fc3eec4066ad77d960904c7f70b997b9c582d1b42661512908a29028e720cb9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe

MD5 2140220b8e72308f35acc9c3e79ea4e4
SHA1 73c7a5c755b6d64faf75a3c527483113d9bedb26
SHA256 452c14c2a7a3f4d725d467db3c2b8840c2ed875c9cdd4172626fb45d5ac7b62c
SHA512 1da353ec2bf469cf6a9bb5b90f5b1b8d3fe2a084c71aa32526a7309e0f7755604fc3eec4066ad77d960904c7f70b997b9c582d1b42661512908a29028e720cb9

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

memory/4632-75-0x00000000052A0000-0x00000000052D6000-memory.dmp

memory/3944-74-0x0000000000400000-0x000000000053D000-memory.dmp

memory/4632-76-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4632-77-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

memory/5100-88-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

memory/1636-91-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4632-92-0x0000000005330000-0x0000000005340000-memory.dmp

memory/3172-93-0x0000000003010000-0x0000000003026000-memory.dmp

memory/1044-95-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5100-98-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4632-99-0x0000000005970000-0x0000000005F98000-memory.dmp

memory/5100-97-0x0000000002920000-0x0000000002926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe

MD5 ed68db3e61b1eab8d1de76b206b4a49d
SHA1 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d
SHA256 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850
SHA512 b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

memory/4292-115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4632-124-0x00000000060D0000-0x00000000060F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

memory/1636-142-0x0000000073FF0000-0x00000000747A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rpagcea.zwf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe

MD5 0c37d9cb86e3e66f48608b6015f2dd0c
SHA1 9eb94f6fd734a914b3e764f7580b921025df6d25
SHA256 c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb
SHA512 dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

memory/1984-161-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1984-167-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1984-166-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1984-169-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4632-170-0x0000000006200000-0x0000000006266000-memory.dmp

memory/4632-171-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/5100-173-0x0000000005880000-0x0000000005E98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/5100-194-0x0000000005370000-0x000000000547A000-memory.dmp

memory/5100-199-0x0000000005260000-0x0000000005272000-memory.dmp

memory/5100-200-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4632-198-0x0000000006370000-0x00000000066C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/5100-202-0x00000000052C0000-0x00000000052FC000-memory.dmp

memory/3944-203-0x0000000000400000-0x000000000053D000-memory.dmp

memory/5100-204-0x0000000005300000-0x000000000534C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

memory/3172-206-0x00000000030E0000-0x00000000030F6000-memory.dmp

memory/4212-210-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4212-211-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4632-212-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/4292-213-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4212-215-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4632-216-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4632-217-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4632-218-0x0000000006860000-0x000000000687E000-memory.dmp

memory/5100-219-0x0000000073FF0000-0x00000000747A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1

MD5 396a54bc76f9cce7fb36f4184dbbdb20
SHA1 bb4a6e14645646b100f72d6f41171cd9ed6d84c4
SHA256 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a
SHA512 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

MD5 fa1fb003b8579fce1ec837487a842c35
SHA1 a7182b39581d3036c287ca54aa5b8cd41720d2cc
SHA256 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138
SHA512 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe

MD5 fa1fb003b8579fce1ec837487a842c35
SHA1 a7182b39581d3036c287ca54aa5b8cd41720d2cc
SHA256 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138
SHA512 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c

memory/2592-230-0x0000000073FF0000-0x00000000747A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/2592-236-0x0000000000040000-0x000000000007E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe

MD5 2a18e8163bdd80fcde52ac7a630ca65d
SHA1 18983ef45b2953cb5b7ee9ed6fa153e406c85311
SHA256 f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SHA512 bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb

memory/2592-244-0x00000000072C0000-0x0000000007864000-memory.dmp

memory/2592-245-0x0000000006DC0000-0x0000000006E52000-memory.dmp

memory/2592-246-0x0000000006D90000-0x0000000006DA0000-memory.dmp

memory/2592-247-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

memory/5100-248-0x0000000005250000-0x0000000005260000-memory.dmp

memory/4632-249-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4632-250-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/4632-251-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/4632-252-0x0000000006DF0000-0x0000000006E12000-memory.dmp

memory/4632-253-0x000000007F140000-0x000000007F150000-memory.dmp

memory/4632-254-0x00000000079A0000-0x00000000079D2000-memory.dmp

memory/4632-255-0x000000006C5C0000-0x000000006C60C000-memory.dmp

memory/4632-265-0x0000000007980000-0x000000000799E000-memory.dmp

memory/4632-266-0x0000000007BE0000-0x0000000007C83000-memory.dmp

memory/4632-267-0x0000000008B20000-0x000000000919A000-memory.dmp

memory/4632-269-0x0000000007E20000-0x0000000007E2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CD3.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\4CD3.exe

MD5 296a99463a7cab9be804160b9a921511
SHA1 7e68a29ee63ba62a1aad985843540add58c50470
SHA256 ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074
SHA512 f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe

MD5 49c6b2129cba0a548bc9ea93e8a64dde
SHA1 50cb8f80a6406eddf22196a4b377a224741a248c
SHA256 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e
SHA512 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6

C:\Users\Admin\AppData\Local\Temp\4F93.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\4F93.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\4F93.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\5169.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe

MD5 e1e9e4d39b7e9b45b885b7334c24b73d
SHA1 b6dbedaafbf5a3f7ef424a904195fe50dc6199dc
SHA256 d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1
SHA512 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe

MD5 868ea2d858e6aa3a541f36b9b9249485
SHA1 e659f9b7e75313fe94f67350cd4c9518428b61d2
SHA256 eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0
SHA512 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d

memory/4632-304-0x0000000007E40000-0x0000000007E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\53AC.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\53AC.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe

MD5 9d8956aa80a4ff33e0f19f3ec2cca953
SHA1 6993a5a4710fe281ca5d112c8e822155832820ea
SHA256 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be
SHA512 ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484

memory/1112-320-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe

MD5 fa1fb003b8579fce1ec837487a842c35
SHA1 a7182b39581d3036c287ca54aa5b8cd41720d2cc
SHA256 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138
SHA512 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe

MD5 1fa45c8aae9d67b6c00c5f94ce24cf2c
SHA1 20308b1f915af3bbf393b41727e89757e92c38af
SHA256 a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b
SHA512 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7

C:\Users\Admin\AppData\Local\Temp\53AC.exe

MD5 cb6e2f389f21e3ea466698a289e5089c
SHA1 8f3c17c72b7a4813883bffa8d600848fa4d7930c
SHA256 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37
SHA512 ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e

C:\Users\Admin\AppData\Local\Temp\5488.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\5488.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/2592-336-0x0000000006D90000-0x0000000006DA0000-memory.dmp

memory/3832-335-0x0000000002360000-0x0000000002380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\55B2.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3832-338-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/3832-339-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3832-340-0x0000000002230000-0x0000000002240000-memory.dmp

memory/3832-337-0x0000000002450000-0x000000000246E000-memory.dmp

memory/3832-342-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-344-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-346-0x0000000002450000-0x0000000002468000-memory.dmp

memory/4632-343-0x0000000005330000-0x0000000005340000-memory.dmp

memory/1300-341-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1112-316-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2592-315-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/1112-307-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1300-347-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/3832-351-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-353-0x0000000002450000-0x0000000002468000-memory.dmp

memory/1512-361-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1512-363-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3832-364-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-360-0x0000000002450000-0x0000000002468000-memory.dmp

memory/4632-358-0x000000007F140000-0x000000007F150000-memory.dmp

memory/1512-368-0x0000000000400000-0x0000000000432000-memory.dmp

memory/3832-369-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-374-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-379-0x0000000002450000-0x0000000002468000-memory.dmp

memory/1076-376-0x0000000073FF0000-0x00000000747A0000-memory.dmp

memory/1076-375-0x0000000000980000-0x00000000009DA000-memory.dmp

memory/3832-383-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-385-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-392-0x0000000002450000-0x0000000002468000-memory.dmp

memory/3832-395-0x0000000002450000-0x0000000002468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b74e7608a8db1e9764db2329cf508e0
SHA1 b01b8890da12731722c805bcb76f34267733c94c
SHA256 1c6289d519391093197614ce25b83093b70a5e8cae62bc0432d5aa3807cdc7d2
SHA512 a08f0d1b91f4fdbdf116d72b2d8aaded49c2aa94e3b5977664097fe6b0354edac7367155ac44b3ec271ac24473196378805622b3f1398b7053a8cb0da67026b9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0bdaebfeace24982b0992263636b9740
SHA1 48dc9018a6a9bb9f69c5e79b0c44923b18421877
SHA256 300c7c0b6c4c03484cd7426e802855c0c50b53a1d007150b92752c74a05c879f
SHA512 f25b6f87bb4741739ef61724e88df79edb261e536641f2eda0154209b728b1d5da3cdb9ad50bf8c7ac617b52f4a65fa7164217cf72419d31f24f1a6f7e3e8906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1112948c0e3735d654d035d61be2ac94
SHA1 a82bb00bc60b58d397afc1e6e0bcd68ae9700656
SHA256 a996c92af35b94b08aea67382a95313b5e1e59d43c41155915b4b1809f182ba6
SHA512 cb80f2d316255b00735d7c4c3a44a2f925581180cfbe9a8cac8848a134aff39980e81f1da6cc1b6f2f2593f091d8687c7df039b37275155edbf1ff27e24a2941

C:\Users\Admin\AppData\Local\Temp\tmpA7BD.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpA87A.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpA84F.tmp

MD5 90e96ddf659e556354303b0029bc28fc
SHA1 22e5d73edd9b7787df2454b13d986f881261af57
SHA256 b62f6f0e4e88773656033b8e70eb487e38c83218c231c61c836d222b1b1dca9e
SHA512 bd1b188b9749decacb485c32b7885c825b6344a92f2496b38e5eb3f86b24015c63bd1a35e82969306ab6d6bc07826442e427f4765beade558378a4404af087a9

C:\Users\Admin\AppData\Local\Temp\tmpA8D5.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpA8BF.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmpA95E.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 0c459e65bcc6d38574f0c0d63a87088a
SHA1 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512 be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2ac6d3fcf6913b1a1ac100407e97fccb
SHA1 809f7d4ed348951b79745074487956255d1d0a9a
SHA256 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA512 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\NL10.127.0.53\Google Chrome\webhistory.txt

MD5 2a76b3e934844a2a713d509f764db633
SHA1 3c190760fc63f72319dcc8535626e5f4cf6f46ff
SHA256 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2
SHA512 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee