Analysis Overview
SHA256
b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d
Threat Level: Known bad
The file b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d was found to be: Known bad.
Malicious Activity Summary
RedLine
Amadey
SystemBC
Healer
SmokeLoader
RedLine payload
Glupteba
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
DcRat
Detected google phishing page
Looks for VirtualBox Guest Additions in registry
Modifies Windows Firewall
Looks for VMWare Tools registry key
Downloads MZ/PE file
Reads user/profile data of local email clients
Loads dropped DLL
Checks BIOS information in registry
.NET Reactor proctector
Uses the VBS compiler for execution
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Maps connected drives based on registry
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Modifies registry class
Creates scheduled task(s)
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-12 12:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 12:10
Reported
2023-10-16 03:31
Platform
win7-20230831-en
Max time kernel
118s
Max time network
132s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2792 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe
"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 92
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 200
Network
Files
memory/2624-3-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-2-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-1-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-0-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-5-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2624-4-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-7-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-9-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2624-11-0x0000000000400000-0x000000000053D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 12:10
Reported
2023-10-16 03:31
Platform
win10v2004-20230915-en
Max time kernel
100s
Max time network
166s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detected google phishing page
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\taskkill.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\taskkill.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\taskkill.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\taskkill.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\system32\taskkill.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
SystemBC
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Downloads MZ/PE file
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5D75.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nalo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000077051\\nalo.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000127051\\socks.exe" | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sus.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000075051\\sus.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4CD3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto2552.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000076051\\foto2552.exe" | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\kuemu.job | C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\Tasks\kuemu.job | C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064033" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31064033" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000002f8159249a5f30899df8eceba9cfa80d8fdf9ff80bfcebb0ac3e1122102b4377000000000e8000000002000020000000c3e6f43c239185ae70bb6e988defcb18838364c792e486c96a5de2ec998aae1010000000c0b912ccd889532544d7418c61e3432740000000c906156e5cf6cf41b2d23e995cb783967c48cfda1c986c3e776ebd9d318fe5bd77133eceff41aa989f33b2b7ff6f435fd6acddd5efc135dbe1a4acc492a8f34e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "411050865" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "411050865" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31064033" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000002819d7b2967715bceb2c7651b3240e1eb7ed0263eac348db1fdd8d838b0a0a30000000000e80000000020000200000008d64457ee229c91e9a1550098406355fdfa1b2dcb90247c7db85b109040e0800500000003b485846ef711d89fecf6a3d4d7c77c5aa5110a7bd096fde2b3dd22a77caa363e13de2e0d7a5be5d1a0eb1586685ee8e1327cf757345eda1fc7fb60b8178f8e78a45d1fc5a625ea0ee5fc330d2ab12c940000000db452879a9f316385ab1cd79bd5430aaa06b0b014e0e8ac874c07c768715b81474d116844f1fa842b60eca9b363144318d44f70a52a90406ad117db0dc931c79 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{436F55FE-6BD4-11EE-83FE-424EF1D7CB82} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "439590062" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1045988481-1457812719-2617974652-1000\{67551DFF-951A-4136-B32D-862B75D2B923} | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\9198.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5488.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5A47.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe
"C:\Users\Admin\AppData\Local\Temp\b208603dab24174b0324624346f6eea20047ecea6311d3293990302386a0b50d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1680 -ip 1680
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 148
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 140
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 676 -ip 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4064 -ip 4064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 548
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 220
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
"C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4480 -ip 4480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 148
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4812 -ip 4812
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
"C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 584
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
"C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3984 -ip 3984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1984 -ip 1984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 160
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2016 -ip 2016
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 540
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
"C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe"
C:\Users\Admin\AppData\Local\Temp\4CD3.exe
C:\Users\Admin\AppData\Local\Temp\4CD3.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe
C:\Users\Admin\AppData\Local\Temp\4F93.exe
C:\Users\Admin\AppData\Local\Temp\4F93.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5169.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe
C:\Users\Admin\AppData\Local\Temp\53AC.exe
C:\Users\Admin\AppData\Local\Temp\53AC.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 272
C:\Users\Admin\AppData\Local\Temp\55B2.exe
C:\Users\Admin\AppData\Local\Temp\55B2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4220 -ip 4220
C:\Users\Admin\AppData\Local\Temp\58DF.exe
C:\Users\Admin\AppData\Local\Temp\58DF.exe
C:\Users\Admin\AppData\Local\Temp\5488.exe
C:\Users\Admin\AppData\Local\Temp\5488.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3468 -ip 3468
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\5A47.exe
C:\Users\Admin\AppData\Local\Temp\5A47.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 140
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1512 -ip 1512
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0xfc,0x7ffa8fc646f8,0x7ffa8fc64708,0x7ffa8fc64718
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 148
C:\Users\Admin\AppData\Local\Temp\5D75.exe
C:\Users\Admin\AppData\Local\Temp\5D75.exe
C:\ProgramData\wlrlbt\kuemu.exe
C:\ProgramData\wlrlbt\kuemu.exe start2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4212 -ip 4212
C:\Users\Admin\AppData\Local\Temp\695D.exe
C:\Users\Admin\AppData\Local\Temp\695D.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 784
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8fc646f8,0x7ffa8fc64708,0x7ffa8fc64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3356 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,12686778864075769379,4097933399500112427,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\7C0B.exe
C:\Users\Admin\AppData\Local\Temp\7C0B.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2984 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\9198.exe
C:\Users\Admin\AppData\Local\Temp\9198.exe
C:\Users\Admin\AppData\Roaming\cvcwrjw
C:\Users\Admin\AppData\Roaming\cvcwrjw
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4436 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1888,i,11509023631006808267,2799127630678317301,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\9198.exe
C:\Users\Admin\AppData\Local\Temp\9198.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\cmd.exe
cmd /c
C:\Windows\system32\runas.exe
runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\9198.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\taskkill.exe
taskkill /F /IM Skype.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM browser.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iridium.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8ced9758,0x7ffa8ced9768,0x7ffa8ced9778
C:\Windows\system32\taskkill.exe
taskkill /F /IM uran.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM epic.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM vivaldi.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM sputnik.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM 7star.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM centbrowser.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM amigo.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM torch.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM kometa.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM orbitum.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM viber.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM WhatsApp.exe.
C:\Windows\system32\taskkill.exe
taskkill /F /IM monero-wallet-gui.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM coinomi.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /IM bytecoinwallet.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM armoryqt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM atomicwallet.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM exodus.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM electrum.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM dash-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM litecoin-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\ProgramData\wlrlbt\kuemu.exe
C:\ProgramData\wlrlbt\kuemu.exe start2
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.25.221.88.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.92.42.5.in-addr.arpa | udp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| IT | 185.196.9.65:80 | tcp | |
| NL | 85.209.176.128:80 | 85.209.176.128 | tcp |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.176.209.85.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| TR | 185.216.70.238:37515 | tcp | |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| DE | 172.217.23.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 16.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| US | 8.8.8.8:53 | 206.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 46.36.251.142.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| NL | 142.250.179.206:443 | accounts.youtube.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 4242d6a6-87f1-4d2c-8db6-5b46837d51a5.uuid.statsexplorer.org | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | server15.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 74.125.204.127:19302 | stun3.l.google.com | udp |
| BG | 185.82.216.108:443 | server15.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.204.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| FI | 77.91.124.82:19071 | tcp | |
| N/A | 127.0.0.1:3389 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| BG | 185.82.216.108:443 | server15.statsexplorer.org | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.82:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| BG | 185.82.216.108:443 | server15.statsexplorer.org | tcp |
Files
memory/3944-0-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3944-1-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3944-2-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3944-3-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
| MD5 | 936970e378a3aff3db82c3aa3c260918 |
| SHA1 | a92b3dc2d920414d011130acdec3b15ee99d12b5 |
| SHA256 | 3ab5368640fc91ec2bf070d6557de6e573c64535b64706ee4b212da33be1744e |
| SHA512 | 6c20aa935937ded851d4aa14d9292fd83f409288d431559ff3019e995841b8bb2592ae227a3bf653fd7697b269d3ef72f7b6ab65243b305446b0f5963783c368 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7997192.exe
| MD5 | 936970e378a3aff3db82c3aa3c260918 |
| SHA1 | a92b3dc2d920414d011130acdec3b15ee99d12b5 |
| SHA256 | 3ab5368640fc91ec2bf070d6557de6e573c64535b64706ee4b212da33be1744e |
| SHA512 | 6c20aa935937ded851d4aa14d9292fd83f409288d431559ff3019e995841b8bb2592ae227a3bf653fd7697b269d3ef72f7b6ab65243b305446b0f5963783c368 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
| MD5 | 371961674f9baf00d0681cf000352c56 |
| SHA1 | 58b4ccd38f7c22b020f74103e152a4179b303551 |
| SHA256 | b8ad25c33ef0d7871f4835c2a2d215b85bdf0e4b5ee8166c62e161b29cfe0411 |
| SHA512 | 7f1a38e1dc617e90b2594c805892f78fba247b4d9c0c44fe57b461e65eaf705a33a14bc0a5741f7f5dccba7fa940a2db717b30775dd26b5c7ec37bebc3ec42ec |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9277706.exe
| MD5 | 371961674f9baf00d0681cf000352c56 |
| SHA1 | 58b4ccd38f7c22b020f74103e152a4179b303551 |
| SHA256 | b8ad25c33ef0d7871f4835c2a2d215b85bdf0e4b5ee8166c62e161b29cfe0411 |
| SHA512 | 7f1a38e1dc617e90b2594c805892f78fba247b4d9c0c44fe57b461e65eaf705a33a14bc0a5741f7f5dccba7fa940a2db717b30775dd26b5c7ec37bebc3ec42ec |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
| MD5 | 01f4d197c02f1db661acc5d1a966d7be |
| SHA1 | 45b84854cfa8715ffbb65632f5d6dd1a1928ba10 |
| SHA256 | b201c21cd311d7c6f7437b330f5d44eb1284ac2d2eea98110ec09427e8b898b4 |
| SHA512 | 5914c30af00908a92699abda6e1865b3a16c8705fa0c4630c23b7d2967a4790cbc994f05bf14e6461bacc24149285f258742eb644024a99acf34d6549d9567fa |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3833933.exe
| MD5 | 01f4d197c02f1db661acc5d1a966d7be |
| SHA1 | 45b84854cfa8715ffbb65632f5d6dd1a1928ba10 |
| SHA256 | b201c21cd311d7c6f7437b330f5d44eb1284ac2d2eea98110ec09427e8b898b4 |
| SHA512 | 5914c30af00908a92699abda6e1865b3a16c8705fa0c4630c23b7d2967a4790cbc994f05bf14e6461bacc24149285f258742eb644024a99acf34d6549d9567fa |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
| MD5 | d378528093ac8d36112695dedd14467e |
| SHA1 | 5244aa8304ab53a8965b5b7741b0b36bccc18e6e |
| SHA256 | bed5dfffa8bc81337317892648affe16f64ba04c3a9ca3ea6ea6506c830fc2d3 |
| SHA512 | 2aae3fab87abde88b1948c9e7ddae9579ee4844c75304ea64faa9064814672ffa611684d459bca21a6afc90da74c827cd9ec2e7f9c49001fb45063d73e588773 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9364995.exe
| MD5 | d378528093ac8d36112695dedd14467e |
| SHA1 | 5244aa8304ab53a8965b5b7741b0b36bccc18e6e |
| SHA256 | bed5dfffa8bc81337317892648affe16f64ba04c3a9ca3ea6ea6506c830fc2d3 |
| SHA512 | 2aae3fab87abde88b1948c9e7ddae9579ee4844c75304ea64faa9064814672ffa611684d459bca21a6afc90da74c827cd9ec2e7f9c49001fb45063d73e588773 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
| MD5 | c5e20b7589f18cf8fdbd0f936663a934 |
| SHA1 | eea0a6ab70157314289102f32fcab96feafb9a4e |
| SHA256 | 9e732cfa94e805485c916c71a67badc27dd9e071494156c60093871e74f38bc4 |
| SHA512 | 544507f4143bdfb56ea27869827857294a1eaad53e59cb8acc202585bd7bad8755d6e1d0ca27985c0d486933a5f80f8b3f4a2491fb33504419074d3cbb4621e1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4072385.exe
| MD5 | c5e20b7589f18cf8fdbd0f936663a934 |
| SHA1 | eea0a6ab70157314289102f32fcab96feafb9a4e |
| SHA256 | 9e732cfa94e805485c916c71a67badc27dd9e071494156c60093871e74f38bc4 |
| SHA512 | 544507f4143bdfb56ea27869827857294a1eaad53e59cb8acc202585bd7bad8755d6e1d0ca27985c0d486933a5f80f8b3f4a2491fb33504419074d3cbb4621e1 |
memory/1636-39-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1636-40-0x0000000073FF0000-0x00000000747A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
| MD5 | 1d8738b6408875c98ecc722c79a44c2b |
| SHA1 | 2b13e9cfd7b86754991e3e24591d8f1f05721dce |
| SHA256 | 22feda81500bb6b14d8f4b88fb174350fe427d35ebabe00daaecc52e38e58ce3 |
| SHA512 | 0de81a2d3e8deac73d9d8a927f1b844c61da926c70ef30a1757bd6ecb159ca53737e6f0d391712c575b7bd9541ca2e60be5c1424542a2691b22a6906192aa280 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3601291.exe
| MD5 | 1d8738b6408875c98ecc722c79a44c2b |
| SHA1 | 2b13e9cfd7b86754991e3e24591d8f1f05721dce |
| SHA256 | 22feda81500bb6b14d8f4b88fb174350fe427d35ebabe00daaecc52e38e58ce3 |
| SHA512 | 0de81a2d3e8deac73d9d8a927f1b844c61da926c70ef30a1757bd6ecb159ca53737e6f0d391712c575b7bd9541ca2e60be5c1424542a2691b22a6906192aa280 |
memory/4064-44-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4064-45-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4064-46-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4064-48-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
| MD5 | b23e4f1b59795f30f0de3d7f1c5e6b0f |
| SHA1 | 3e402dcabfc85582e42f801b6102f6d7d9a38a1a |
| SHA256 | 503d2d7d495d85d0b832d069439f31f605e683a94b434cc06255c818dcea8bd3 |
| SHA512 | 5d20999393700e3ea570a3c6a2931bb4a45b54cd752195f014ad3ad7955805c4e77b55b9fa8ca0afa3c9b06b3ec99438a254e5fcd29311f3f3922efd554d6390 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6875310.exe
| MD5 | b23e4f1b59795f30f0de3d7f1c5e6b0f |
| SHA1 | 3e402dcabfc85582e42f801b6102f6d7d9a38a1a |
| SHA256 | 503d2d7d495d85d0b832d069439f31f605e683a94b434cc06255c818dcea8bd3 |
| SHA512 | 5d20999393700e3ea570a3c6a2931bb4a45b54cd752195f014ad3ad7955805c4e77b55b9fa8ca0afa3c9b06b3ec99438a254e5fcd29311f3f3922efd554d6390 |
memory/1044-52-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1044-53-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0155604.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
| MD5 | c256a814d3f9d02d73029580dfe882b3 |
| SHA1 | e11e9ea937183139753f3b0d5e71c8301d000896 |
| SHA256 | 53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c |
| SHA512 | 1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe
| MD5 | 2140220b8e72308f35acc9c3e79ea4e4 |
| SHA1 | 73c7a5c755b6d64faf75a3c527483113d9bedb26 |
| SHA256 | 452c14c2a7a3f4d725d467db3c2b8840c2ed875c9cdd4172626fb45d5ac7b62c |
| SHA512 | 1da353ec2bf469cf6a9bb5b90f5b1b8d3fe2a084c71aa32526a7309e0f7755604fc3eec4066ad77d960904c7f70b997b9c582d1b42661512908a29028e720cb9 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6802571.exe
| MD5 | 2140220b8e72308f35acc9c3e79ea4e4 |
| SHA1 | 73c7a5c755b6d64faf75a3c527483113d9bedb26 |
| SHA256 | 452c14c2a7a3f4d725d467db3c2b8840c2ed875c9cdd4172626fb45d5ac7b62c |
| SHA512 | 1da353ec2bf469cf6a9bb5b90f5b1b8d3fe2a084c71aa32526a7309e0f7755604fc3eec4066ad77d960904c7f70b997b9c582d1b42661512908a29028e720cb9 |
C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1
| MD5 | 396a54bc76f9cce7fb36f4184dbbdb20 |
| SHA1 | bb4a6e14645646b100f72d6f41171cd9ed6d84c4 |
| SHA256 | 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a |
| SHA512 | 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe |
memory/4632-75-0x00000000052A0000-0x00000000052D6000-memory.dmp
memory/3944-74-0x0000000000400000-0x000000000053D000-memory.dmp
memory/4632-76-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/4632-77-0x0000000005330000-0x0000000005340000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | ed68db3e61b1eab8d1de76b206b4a49d |
| SHA1 | 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d |
| SHA256 | 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850 |
| SHA512 | b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52 |
memory/5100-88-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | ed68db3e61b1eab8d1de76b206b4a49d |
| SHA1 | 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d |
| SHA256 | 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850 |
| SHA512 | b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52 |
memory/1636-91-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/4632-92-0x0000000005330000-0x0000000005340000-memory.dmp
memory/3172-93-0x0000000003010000-0x0000000003026000-memory.dmp
memory/1044-95-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5100-98-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/4632-99-0x0000000005970000-0x0000000005F98000-memory.dmp
memory/5100-97-0x0000000002920000-0x0000000002926000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000075051\sus.exe
| MD5 | ed68db3e61b1eab8d1de76b206b4a49d |
| SHA1 | 8d69b9cf4b766b3a8bea15a66be92c03fa175f5d |
| SHA256 | 73692bf03a65b37f94c489a31213c952ff6da8efa40ec3005070c22be8564850 |
| SHA512 | b52977a57bf40b5f40b9a2cc3be327e8f67aea9373541cd361ffc1b729c05353a9b4c8acfe4346f186add5341061a3e72acb86f0f89f24ba1d10131ef75d2d52 |
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | 296a99463a7cab9be804160b9a921511 |
| SHA1 | 7e68a29ee63ba62a1aad985843540add58c50470 |
| SHA256 | ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074 |
| SHA512 | f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13 |
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | 296a99463a7cab9be804160b9a921511 |
| SHA1 | 7e68a29ee63ba62a1aad985843540add58c50470 |
| SHA256 | ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074 |
| SHA512 | f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13 |
C:\Users\Admin\AppData\Local\Temp\1000076051\foto2552.exe
| MD5 | 296a99463a7cab9be804160b9a921511 |
| SHA1 | 7e68a29ee63ba62a1aad985843540add58c50470 |
| SHA256 | ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074 |
| SHA512 | f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13 |
memory/4292-115-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4632-124-0x00000000060D0000-0x00000000060F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe
| MD5 | 49c6b2129cba0a548bc9ea93e8a64dde |
| SHA1 | 50cb8f80a6406eddf22196a4b377a224741a248c |
| SHA256 | 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e |
| SHA512 | 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tk9Fs0eR.exe
| MD5 | 49c6b2129cba0a548bc9ea93e8a64dde |
| SHA1 | 50cb8f80a6406eddf22196a4b377a224741a248c |
| SHA256 | 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e |
| SHA512 | 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6 |
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | 0c37d9cb86e3e66f48608b6015f2dd0c |
| SHA1 | 9eb94f6fd734a914b3e764f7580b921025df6d25 |
| SHA256 | c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb |
| SHA512 | dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe
| MD5 | e1e9e4d39b7e9b45b885b7334c24b73d |
| SHA1 | b6dbedaafbf5a3f7ef424a904195fe50dc6199dc |
| SHA256 | d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1 |
| SHA512 | 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2 |
memory/1636-142-0x0000000073FF0000-0x00000000747A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rpagcea.zwf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pd9AT8Ax.exe
| MD5 | e1e9e4d39b7e9b45b885b7334c24b73d |
| SHA1 | b6dbedaafbf5a3f7ef424a904195fe50dc6199dc |
| SHA256 | d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1 |
| SHA512 | 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2 |
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | 0c37d9cb86e3e66f48608b6015f2dd0c |
| SHA1 | 9eb94f6fd734a914b3e764f7580b921025df6d25 |
| SHA256 | c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb |
| SHA512 | dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62 |
C:\Users\Admin\AppData\Local\Temp\1000077051\nalo.exe
| MD5 | 0c37d9cb86e3e66f48608b6015f2dd0c |
| SHA1 | 9eb94f6fd734a914b3e764f7580b921025df6d25 |
| SHA256 | c70d9ea784b5a26cf6b2e2383640e265f4d3f65b208a5fb1ab73019d54c42ebb |
| SHA512 | dc4035adb37de5ba8828b47bfea0e774a12fa2e789556489b9ba1ff110dff55190eb292fb2feabb886c7e00aad695ba39f2d7793b6a6eab744fd36a86b390a62 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe
| MD5 | 868ea2d858e6aa3a541f36b9b9249485 |
| SHA1 | e659f9b7e75313fe94f67350cd4c9518428b61d2 |
| SHA256 | eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0 |
| SHA512 | 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ly4Vg9xo.exe
| MD5 | 868ea2d858e6aa3a541f36b9b9249485 |
| SHA1 | e659f9b7e75313fe94f67350cd4c9518428b61d2 |
| SHA256 | eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0 |
| SHA512 | 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d |
memory/1984-161-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1984-167-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1984-166-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1984-169-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4632-170-0x0000000006200000-0x0000000006266000-memory.dmp
memory/4632-171-0x0000000006190000-0x00000000061F6000-memory.dmp
memory/5100-173-0x0000000005880000-0x0000000005E98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe
| MD5 | 9d8956aa80a4ff33e0f19f3ec2cca953 |
| SHA1 | 6993a5a4710fe281ca5d112c8e822155832820ea |
| SHA256 | 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be |
| SHA512 | ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kl9vi6ZY.exe
| MD5 | 9d8956aa80a4ff33e0f19f3ec2cca953 |
| SHA1 | 6993a5a4710fe281ca5d112c8e822155832820ea |
| SHA256 | 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be |
| SHA512 | ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3236507.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/5100-194-0x0000000005370000-0x000000000547A000-memory.dmp
memory/5100-199-0x0000000005260000-0x0000000005272000-memory.dmp
memory/5100-200-0x0000000005250000-0x0000000005260000-memory.dmp
memory/4632-198-0x0000000006370000-0x00000000066C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/5100-202-0x00000000052C0000-0x00000000052FC000-memory.dmp
memory/3944-203-0x0000000000400000-0x000000000053D000-memory.dmp
memory/5100-204-0x0000000005300000-0x000000000534C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1uN09ht3.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
memory/3172-206-0x00000000030E0000-0x00000000030F6000-memory.dmp
memory/4212-210-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4212-211-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4632-212-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/4292-213-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4212-215-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4632-216-0x0000000005330000-0x0000000005340000-memory.dmp
memory/4632-217-0x0000000005330000-0x0000000005340000-memory.dmp
memory/4632-218-0x0000000006860000-0x000000000687E000-memory.dmp
memory/5100-219-0x0000000073FF0000-0x00000000747A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000074041\2.ps1
| MD5 | 396a54bc76f9cce7fb36f4184dbbdb20 |
| SHA1 | bb4a6e14645646b100f72d6f41171cd9ed6d84c4 |
| SHA256 | 569231a6d7fcb66f4cacf62fd927c9c7da74d720e78ae09e07032b71a1e0a43a |
| SHA512 | 645dd17a7ddad1f8cc7b35ff0c2a5c02edfe13f21e312c3e2b7b87f75b18376cc153b2f7323558fa4fb36422878bbcc40c66ab3f6f83c60a8bee3c87ae296bbe |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe
| MD5 | fa1fb003b8579fce1ec837487a842c35 |
| SHA1 | a7182b39581d3036c287ca54aa5b8cd41720d2cc |
| SHA256 | 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138 |
| SHA512 | 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2AV562Ar.exe
| MD5 | fa1fb003b8579fce1ec837487a842c35 |
| SHA1 | a7182b39581d3036c287ca54aa5b8cd41720d2cc |
| SHA256 | 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138 |
| SHA512 | 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c |
memory/2592-230-0x0000000073FF0000-0x00000000747A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
memory/2592-236-0x0000000000040000-0x000000000007E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
C:\Users\Admin\AppData\Local\Temp\1000127051\socks.exe
| MD5 | 2a18e8163bdd80fcde52ac7a630ca65d |
| SHA1 | 18983ef45b2953cb5b7ee9ed6fa153e406c85311 |
| SHA256 | f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82 |
| SHA512 | bd027a5fa5520e15e9724032fe329f53b09c85f74b77392cfe2ca0ed7c8bc2aafda003cfc0de1ce7812716993e3ce96125954864bdd149074bc476023d94c6cb |
memory/2592-244-0x00000000072C0000-0x0000000007864000-memory.dmp
memory/2592-245-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/2592-246-0x0000000006D90000-0x0000000006DA0000-memory.dmp
memory/2592-247-0x0000000006FC0000-0x0000000006FCA000-memory.dmp
memory/5100-248-0x0000000005250000-0x0000000005260000-memory.dmp
memory/4632-249-0x0000000005330000-0x0000000005340000-memory.dmp
memory/4632-250-0x00000000078A0000-0x0000000007936000-memory.dmp
memory/4632-251-0x0000000006D80000-0x0000000006D9A000-memory.dmp
memory/4632-252-0x0000000006DF0000-0x0000000006E12000-memory.dmp
memory/4632-253-0x000000007F140000-0x000000007F150000-memory.dmp
memory/4632-254-0x00000000079A0000-0x00000000079D2000-memory.dmp
memory/4632-255-0x000000006C5C0000-0x000000006C60C000-memory.dmp
memory/4632-265-0x0000000007980000-0x000000000799E000-memory.dmp
memory/4632-266-0x0000000007BE0000-0x0000000007C83000-memory.dmp
memory/4632-267-0x0000000008B20000-0x000000000919A000-memory.dmp
memory/4632-269-0x0000000007E20000-0x0000000007E2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4CD3.exe
| MD5 | 296a99463a7cab9be804160b9a921511 |
| SHA1 | 7e68a29ee63ba62a1aad985843540add58c50470 |
| SHA256 | ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074 |
| SHA512 | f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13 |
C:\Users\Admin\AppData\Local\Temp\4CD3.exe
| MD5 | 296a99463a7cab9be804160b9a921511 |
| SHA1 | 7e68a29ee63ba62a1aad985843540add58c50470 |
| SHA256 | ab3305290371a32c8c458ae5abaea266df3a37f9b51ab59f3504425e780d4074 |
| SHA512 | f6431046814f474900c7e3f02b3c62d9fb8b08b5cd1a7d293db63e78f7d86eb8ca4a8f22c7c62c0aa006e97c255b00e80d0e6f70d0b7591edb60261c69899f13 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe
| MD5 | 49c6b2129cba0a548bc9ea93e8a64dde |
| SHA1 | 50cb8f80a6406eddf22196a4b377a224741a248c |
| SHA256 | 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e |
| SHA512 | 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe
| MD5 | 49c6b2129cba0a548bc9ea93e8a64dde |
| SHA1 | 50cb8f80a6406eddf22196a4b377a224741a248c |
| SHA256 | 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e |
| SHA512 | 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tk9Fs0eR.exe
| MD5 | 49c6b2129cba0a548bc9ea93e8a64dde |
| SHA1 | 50cb8f80a6406eddf22196a4b377a224741a248c |
| SHA256 | 8d2411fb2f127410d8183c9900058be2be6b6b0ab1ea7ebcd72955c12f6c671e |
| SHA512 | 4a46d8107380f907d90c4f2eba20d003ca29100cd1bb06a3c0a21652c158fd3aee82e95c45e61b4e17b17ff18e33b4a012f227e0c77c7325b5f364cdb077b5f6 |
C:\Users\Admin\AppData\Local\Temp\4F93.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
C:\Users\Admin\AppData\Local\Temp\4F93.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe
| MD5 | e1e9e4d39b7e9b45b885b7334c24b73d |
| SHA1 | b6dbedaafbf5a3f7ef424a904195fe50dc6199dc |
| SHA256 | d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1 |
| SHA512 | 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2 |
C:\Users\Admin\AppData\Local\Temp\4F93.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
C:\Users\Admin\AppData\Local\Temp\5169.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe
| MD5 | e1e9e4d39b7e9b45b885b7334c24b73d |
| SHA1 | b6dbedaafbf5a3f7ef424a904195fe50dc6199dc |
| SHA256 | d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1 |
| SHA512 | 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Pd9AT8Ax.exe
| MD5 | e1e9e4d39b7e9b45b885b7334c24b73d |
| SHA1 | b6dbedaafbf5a3f7ef424a904195fe50dc6199dc |
| SHA256 | d9c6b825ecb02120ef96fb915de6feb274d95970241a53a3cc86b4eb73386fb1 |
| SHA512 | 4a098850956283c99bff1e36314ba2c5147a83686d98e974d089389641c3208006bc86028341f0278032b943826e6fc4093603ce83a5d698fd22d230786ef8d2 |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe
| MD5 | 868ea2d858e6aa3a541f36b9b9249485 |
| SHA1 | e659f9b7e75313fe94f67350cd4c9518428b61d2 |
| SHA256 | eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0 |
| SHA512 | 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe
| MD5 | 868ea2d858e6aa3a541f36b9b9249485 |
| SHA1 | e659f9b7e75313fe94f67350cd4c9518428b61d2 |
| SHA256 | eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0 |
| SHA512 | 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d |
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Ly4Vg9xo.exe
| MD5 | 868ea2d858e6aa3a541f36b9b9249485 |
| SHA1 | e659f9b7e75313fe94f67350cd4c9518428b61d2 |
| SHA256 | eac5a537d1cec2e14707af5afa910fbd6e27daf6899fa2cbafabe9717971edc0 |
| SHA512 | 324badcfefec1ef4884f6c8999c005b73076671feba9e2f792068782519f9cb9259dbb8b2cff0b359290174add74e53da4a3103cd69eb588eab56275b9b0ac5d |
memory/4632-304-0x0000000007E40000-0x0000000007E51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\53AC.exe
| MD5 | cb6e2f389f21e3ea466698a289e5089c |
| SHA1 | 8f3c17c72b7a4813883bffa8d600848fa4d7930c |
| SHA256 | 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37 |
| SHA512 | ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e |
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe
| MD5 | 9d8956aa80a4ff33e0f19f3ec2cca953 |
| SHA1 | 6993a5a4710fe281ca5d112c8e822155832820ea |
| SHA256 | 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be |
| SHA512 | ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484 |
C:\Users\Admin\AppData\Local\Temp\53AC.exe
| MD5 | cb6e2f389f21e3ea466698a289e5089c |
| SHA1 | 8f3c17c72b7a4813883bffa8d600848fa4d7930c |
| SHA256 | 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37 |
| SHA512 | ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e |
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe
| MD5 | 9d8956aa80a4ff33e0f19f3ec2cca953 |
| SHA1 | 6993a5a4710fe281ca5d112c8e822155832820ea |
| SHA256 | 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be |
| SHA512 | ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484 |
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\kl9vi6ZY.exe
| MD5 | 9d8956aa80a4ff33e0f19f3ec2cca953 |
| SHA1 | 6993a5a4710fe281ca5d112c8e822155832820ea |
| SHA256 | 4f2e85da049de46e98eb26753a08e545526be10544a799aaebbf857e102015be |
| SHA512 | ec586f9b4e087b4f2f989bb2807c16d6bf41e7634c79aa85cee113b30d65b350042a6f1744b9ffa9433e8bd44cd1fcabd4f2796e7861d122c89ad9fd1695b484 |
memory/1112-320-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\2AV562Ar.exe
| MD5 | fa1fb003b8579fce1ec837487a842c35 |
| SHA1 | a7182b39581d3036c287ca54aa5b8cd41720d2cc |
| SHA256 | 5366c36e6380b6bb7dcfec54ba4df1f61d732942b415841125df6ab97aeac138 |
| SHA512 | 7e00d532f8b84ef180f4a88188eb2466c3d2b96089a623ec2b4dbcbfca12ac2040c6808c53b00c60cd5ccf955972b895aa60657d75f732cdc9c088eacfffc56c |
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1uN09ht3.exe
| MD5 | 1fa45c8aae9d67b6c00c5f94ce24cf2c |
| SHA1 | 20308b1f915af3bbf393b41727e89757e92c38af |
| SHA256 | a66bc927db7d3a2c22a1383d01cc46f07c6ec3f177fc2f65efce42a56a93240b |
| SHA512 | 818d0f27d0687ab13e677599ee8d042d8ec8dd28358f5b885a940929313e76703b94e4654c2ada473fe42b5524cb34d17cf0aed5a3210b0bea427b582391dfe7 |
C:\Users\Admin\AppData\Local\Temp\53AC.exe
| MD5 | cb6e2f389f21e3ea466698a289e5089c |
| SHA1 | 8f3c17c72b7a4813883bffa8d600848fa4d7930c |
| SHA256 | 76426f6eeaff9fc1542bbb511691c20df2d31c678d2110c444c992d2df1e6a37 |
| SHA512 | ff4128122587543d5db15909e126f67669fe3ccdb093c734f66f7d971b0e26e14ca04a7b791a657b512033991c726e660c6d6a11cf12964cd49a333011c64e0e |
C:\Users\Admin\AppData\Local\Temp\5488.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\5488.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/2592-336-0x0000000006D90000-0x0000000006DA0000-memory.dmp
memory/3832-335-0x0000000002360000-0x0000000002380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\55B2.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3832-338-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/3832-339-0x0000000002230000-0x0000000002240000-memory.dmp
memory/3832-340-0x0000000002230000-0x0000000002240000-memory.dmp
memory/3832-337-0x0000000002450000-0x000000000246E000-memory.dmp
memory/3832-342-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-344-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-346-0x0000000002450000-0x0000000002468000-memory.dmp
memory/4632-343-0x0000000005330000-0x0000000005340000-memory.dmp
memory/1300-341-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1112-316-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2592-315-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/1112-307-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1300-347-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/3832-351-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-353-0x0000000002450000-0x0000000002468000-memory.dmp
memory/1512-361-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1512-363-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3832-364-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-360-0x0000000002450000-0x0000000002468000-memory.dmp
memory/4632-358-0x000000007F140000-0x000000007F150000-memory.dmp
memory/1512-368-0x0000000000400000-0x0000000000432000-memory.dmp
memory/3832-369-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-374-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-379-0x0000000002450000-0x0000000002468000-memory.dmp
memory/1076-376-0x0000000073FF0000-0x00000000747A0000-memory.dmp
memory/1076-375-0x0000000000980000-0x00000000009DA000-memory.dmp
memory/3832-383-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-385-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-392-0x0000000002450000-0x0000000002468000-memory.dmp
memory/3832-395-0x0000000002450000-0x0000000002468000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9b74e7608a8db1e9764db2329cf508e0 |
| SHA1 | b01b8890da12731722c805bcb76f34267733c94c |
| SHA256 | 1c6289d519391093197614ce25b83093b70a5e8cae62bc0432d5aa3807cdc7d2 |
| SHA512 | a08f0d1b91f4fdbdf116d72b2d8aaded49c2aa94e3b5977664097fe6b0354edac7367155ac44b3ec271ac24473196378805622b3f1398b7053a8cb0da67026b9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 81e4fc7bd0ee078ccae9523fa5cb17a3 |
| SHA1 | 4d25ca2e8357dc2688477b45247d02a3967c98a4 |
| SHA256 | c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee |
| SHA512 | 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0bdaebfeace24982b0992263636b9740 |
| SHA1 | 48dc9018a6a9bb9f69c5e79b0c44923b18421877 |
| SHA256 | 300c7c0b6c4c03484cd7426e802855c0c50b53a1d007150b92752c74a05c879f |
| SHA512 | f25b6f87bb4741739ef61724e88df79edb261e536641f2eda0154209b728b1d5da3cdb9ad50bf8c7ac617b52f4a65fa7164217cf72419d31f24f1a6f7e3e8906 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1112948c0e3735d654d035d61be2ac94 |
| SHA1 | a82bb00bc60b58d397afc1e6e0bcd68ae9700656 |
| SHA256 | a996c92af35b94b08aea67382a95313b5e1e59d43c41155915b4b1809f182ba6 |
| SHA512 | cb80f2d316255b00735d7c4c3a44a2f925581180cfbe9a8cac8848a134aff39980e81f1da6cc1b6f2f2593f091d8687c7df039b37275155edbf1ff27e24a2941 |
C:\Users\Admin\AppData\Local\Temp\tmpA7BD.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpA87A.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpA84F.tmp
| MD5 | 90e96ddf659e556354303b0029bc28fc |
| SHA1 | 22e5d73edd9b7787df2454b13d986f881261af57 |
| SHA256 | b62f6f0e4e88773656033b8e70eb487e38c83218c231c61c836d222b1b1dca9e |
| SHA512 | bd1b188b9749decacb485c32b7885c825b6344a92f2496b38e5eb3f86b24015c63bd1a35e82969306ab6d6bc07826442e427f4765beade558378a4404af087a9 |
C:\Users\Admin\AppData\Local\Temp\tmpA8D5.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpA8BF.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmpA95E.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 6dcb90ba1ba8e06c1d4f27ec78f6911a |
| SHA1 | 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9 |
| SHA256 | 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416 |
| SHA512 | dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 0c459e65bcc6d38574f0c0d63a87088a |
| SHA1 | 41e53d5f2b3e7ca859b842a1c7b677e0847e6d65 |
| SHA256 | 871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4 |
| SHA512 | be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2ac6d3fcf6913b1a1ac100407e97fccb |
| SHA1 | 809f7d4ed348951b79745074487956255d1d0a9a |
| SHA256 | 30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe |
| SHA512 | 79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\EGWOM5I1\favicon[2].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\Local\NL10.127.0.53\Google Chrome\webhistory.txt
| MD5 | 2a76b3e934844a2a713d509f764db633 |
| SHA1 | 3c190760fc63f72319dcc8535626e5f4cf6f46ff |
| SHA256 | 0d4d39a3d65d961dbd5df255f4cf69ab6b87076a9a366a8db723c98b7bbf20f2 |
| SHA512 | 6d8f86a39dacb158cba5956610578f3e9873d66547e62cb491c440b108062cae2c35d16e292fd2f528d70ed9e5814c8916f4ada9f551498a5366fb709a9b1a82 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |