Malware Analysis Report

2025-08-05 19:00

Sample ID 231019-flhnpafb78
Target 78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39
SHA256 78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39
Tags
amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx google microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39

Threat Level: Known bad

The file 78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx google microsoft phishing

SmokeLoader

SectopRAT

SectopRAT payload

Windows security bypass

RedLine payload

Glupteba payload

Glupteba

DcRat

Detected google phishing page

RedLine

Modifies Windows Defender Real-time Protection settings

Amadey

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Drops file in Drivers directory

Windows security modification

.NET Reactor proctector

Uses the VBS compiler for execution

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Adds Run key to start application

Manipulates WinMon driver.

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 04:57

Reported

2023-10-19 05:10

Platform

win7-20230831-en

Max time kernel

299s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1DAF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23FA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2B7A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\328C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3838.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3E13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75B9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7FC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23FA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\75B9.exe'\"" C:\Users\Admin\AppData\Local\Temp\75B9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1CA5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2044 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\3E13.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231019050648.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{391E6DE1-6E3D-11EE-949E-462CFFDA645F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000014313ed9fd2578219810479ac71d309d550864ce969eee75a18e3d9aed3c7e47000000000e8000000002000020000000674dd2cbddec5549791dd722d8dcdd30fc06afee5efdbaf00a4d6ee8de2db307900000006056edb1317efc05f2c9443f3400c6d4dbadf3d2296f6263de707eeda24dc07489cf2d12dc64a2b4941a9e4f8cafb411bc74bee0ade6a54513d16959516c1b52f3343c15b350120db8877da4527e92fa9c42302df61c443d7e0da9bca6bb67d0041f75220c1259aa043810f3e1bf72f2d754f1b513df383bbf9c1b76f42d818ab3dd986616e50fb897ad59876a0b91504000000032fc74a4a96266f044ce538bfbfa27bb83d9671065ca9bd5379052af1cc2b8ecef26981ca5bbe3835f3ab50f0aed578ba4fda2ba3a170ff6e94fff091c82f2ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1066ea1c4a02da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404456951" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000c569e11c45891b5cadd579a2ee6c69eb689f0928b419719f27022c308a09ceb2000000000e8000000002000020000000a9ff6a57b799681891fd192cf215abd75b1b9898ca60f9bfe38c45fcf0c9ff5b20000000064209f81c19707f4a2592b520ed69768e7b23a5ff201ff2a5a7ce98af5f884b40000000c3d6c11152790353ece2b6ba3f348a941e312c9149fe8a85f0c5032ed50a58a7f197b2f5797902959cf924c684a6c28df99f485c576b42d2ec3f8d47f71e5b36 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2189.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\328C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3838.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2B7A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5E70.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2988 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2104 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2940 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2608 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2764 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2608 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 2940 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1400 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe
PID 1920 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\1CA5.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe

"C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

C:\Users\Admin\AppData\Local\Temp\1DAF.exe

C:\Users\Admin\AppData\Local\Temp\1DAF.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1F84.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

C:\Users\Admin\AppData\Local\Temp\2050.exe

C:\Users\Admin\AppData\Local\Temp\2050.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

C:\Users\Admin\AppData\Local\Temp\2189.exe

C:\Users\Admin\AppData\Local\Temp\2189.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

C:\Users\Admin\AppData\Local\Temp\23FA.exe

C:\Users\Admin\AppData\Local\Temp\23FA.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\2B7A.exe

C:\Users\Admin\AppData\Local\Temp\2B7A.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:312 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\328C.exe

C:\Users\Admin\AppData\Local\Temp\328C.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\3838.exe

C:\Users\Admin\AppData\Local\Temp\3838.exe

C:\Users\Admin\AppData\Local\Temp\3E13.exe

C:\Users\Admin\AppData\Local\Temp\3E13.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\5A99.exe

C:\Users\Admin\AppData\Local\Temp\5A99.exe

C:\Users\Admin\AppData\Local\Temp\5E70.exe

C:\Users\Admin\AppData\Local\Temp\5E70.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\75B9.exe

C:\Users\Admin\AppData\Local\Temp\75B9.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\7FC8.exe

C:\Users\Admin\AppData\Local\Temp\7FC8.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019050648.log C:\Windows\Logs\CBS\CbsPersist_20231019050648.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AADF72B1-1579-436F-9BB0-35EC53CC548E} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "35355636922998513-55191365218687861541359238668-18930686721131016287-249960370"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1370430758108456474513121974211547622427391218072-13972280531970881105108197523"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-88415085210073800511440599683179988787-34101286-1245114689-1596434707726094893"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.124.55:19071 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 www.facebook.com udp
BG 171.22.28.239:42359 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
TR 185.216.70.238:37515 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
US 157.240.5.35:443 facebook.com tcp
US 157.240.5.35:443 facebook.com tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 fbcdn.net udp
US 157.240.5.35:443 fbcdn.net tcp
US 157.240.5.35:443 fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 fbsbx.com udp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 h2o.activebuy.top udp
FI 95.217.243.178:8443 h2o.activebuy.top tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 fe04fb4e-92ee-494f-83e4-43dad712e331.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server4.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2760-50-0x00000000012A0000-0x00000000012AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2608-58-0x0000000000160000-0x0000000000169000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2608-64-0x0000000000160000-0x0000000000169000-memory.dmp

memory/2336-68-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2336-70-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1400-69-0x0000000002560000-0x0000000002576000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/2368-79-0x0000000000AF0000-0x0000000000B2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

MD5 9534d3197913a4c8e0b61894af6a24ff
SHA1 2cb8b9dcb3030d4f7af73bc9d7f17933abdc0959
SHA256 3fb0cc82002d6ff83118a6b3ca7ef8b0b118e361aaf1ace619b1a342378b8959
SHA512 c414622384aa4b5e522339f30a76f81808a62093d255652cf74f116dfe13012f72bf292fe38f72b5260472205688d10750beab29c924f8f7276c0532232235fc

\Users\Admin\AppData\Local\Temp\1CA5.exe

MD5 9534d3197913a4c8e0b61894af6a24ff
SHA1 2cb8b9dcb3030d4f7af73bc9d7f17933abdc0959
SHA256 3fb0cc82002d6ff83118a6b3ca7ef8b0b118e361aaf1ace619b1a342378b8959
SHA512 c414622384aa4b5e522339f30a76f81808a62093d255652cf74f116dfe13012f72bf292fe38f72b5260472205688d10750beab29c924f8f7276c0532232235fc

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

MD5 9534d3197913a4c8e0b61894af6a24ff
SHA1 2cb8b9dcb3030d4f7af73bc9d7f17933abdc0959
SHA256 3fb0cc82002d6ff83118a6b3ca7ef8b0b118e361aaf1ace619b1a342378b8959
SHA512 c414622384aa4b5e522339f30a76f81808a62093d255652cf74f116dfe13012f72bf292fe38f72b5260472205688d10750beab29c924f8f7276c0532232235fc

\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

C:\Users\Admin\AppData\Local\Temp\1DAF.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\1DAF.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

C:\Users\Admin\AppData\Local\Temp\1F84.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4ma820Em.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

C:\Users\Admin\AppData\Local\Temp\1F84.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

C:\Users\Admin\AppData\Local\Temp\2050.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\2050.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\2189.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/472-158-0x0000000001D70000-0x0000000001D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

memory/2316-146-0x0000000000DB0000-0x0000000000DEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\23FA.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\23FA.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\23FA.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/472-182-0x0000000002050000-0x000000000206E000-memory.dmp

memory/472-193-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-194-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-198-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-202-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-206-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-210-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-218-0x0000000002050000-0x0000000002068000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

MD5 298a32008ab379b18ee24ab703ad0aa0
SHA1 6dd8639ccefa9cf0ab1571e4dc526c4b91cc9d21
SHA256 16eb91f428943a9c7301eb839e93ee3f38ee5864ff2c3b6d62ef57f00ee2cf28
SHA512 bfefaa4bbef8d2fd8b96801b92d8bdcfa8bd2118ddfc8abc13a7c26cdfb0573c5d2d588981941c1f11af2eee2a6faca7c240fecf40ba8fb51989fc5d049c6b6b

memory/1972-223-0x0000000001020000-0x000000000105E000-memory.dmp

memory/472-221-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-226-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-230-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-234-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-236-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-238-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-242-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-244-0x0000000002050000-0x0000000002068000-memory.dmp

memory/472-246-0x0000000002050000-0x0000000002068000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2B7A.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/472-254-0x0000000002050000-0x0000000002068000-memory.dmp

memory/2316-255-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/472-260-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/472-259-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/472-258-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/2316-257-0x00000000070F0000-0x0000000007130000-memory.dmp

memory/472-256-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/2920-262-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2920-261-0x0000000000230000-0x000000000028A000-memory.dmp

memory/2920-269-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2920-270-0x0000000006FB0000-0x0000000006FF0000-memory.dmp

memory/2024-271-0x0000000001390000-0x00000000013AE000-memory.dmp

memory/2024-273-0x0000000000300000-0x0000000000340000-memory.dmp

memory/2024-272-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2652-277-0x00000000003E0000-0x000000000043A000-memory.dmp

memory/2652-278-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2652-279-0x0000000002170000-0x00000000021B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3E58.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2316-297-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2316-299-0x00000000070F0000-0x0000000007130000-memory.dmp

memory/472-298-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/1936-302-0x0000000000400000-0x000000000043E000-memory.dmp

memory/472-301-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/472-307-0x0000000004660000-0x00000000046A0000-memory.dmp

memory/1936-306-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1936-300-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2044-309-0x0000000000A40000-0x0000000000B5B000-memory.dmp

memory/1936-310-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1936-311-0x0000000000400000-0x000000000043E000-memory.dmp

memory/472-312-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1936-313-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1936-314-0x00000000004F0000-0x0000000000530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar481D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ff5f0334e421a55dc6be40405f777f1
SHA1 0e965c81ef8c488acfeec2f31610a6269e510c42
SHA256 462404b494b3b83bff6dd8b275ab0579149bc1d643dfe9565936eea00cc066c2
SHA512 fd2745d8fd3a741290f0aeb1fecdc3cc7270c75142b3962b9b427821974c74f7186d6526d2502a0ef4bb0a585b35c63bd91d5f1077528add8ce344873c0a2322

memory/2920-350-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2920-373-0x0000000006FB0000-0x0000000006FF0000-memory.dmp

memory/2024-374-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/472-402-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2024-409-0x0000000000300000-0x0000000000340000-memory.dmp

memory/1020-424-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1020-421-0x0000000000920000-0x0000000000D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E70.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2652-439-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2652-455-0x0000000002170000-0x00000000021B0000-memory.dmp

memory/3016-458-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3016-456-0x0000000000020000-0x000000000003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

memory/2864-465-0x0000000004B00000-0x0000000004EF8000-memory.dmp

memory/3016-471-0x0000000004640000-0x0000000004680000-memory.dmp

memory/1020-470-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/3016-472-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2044-473-0x0000000000A40000-0x0000000000B5B000-memory.dmp

memory/1936-474-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1080-491-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1936-492-0x00000000004F0000-0x0000000000530000-memory.dmp

memory/2864-493-0x0000000004B00000-0x0000000004EF8000-memory.dmp

memory/2864-498-0x0000000004F00000-0x00000000057EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75B9.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2864-507-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7FC8.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/2864-654-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3016-655-0x0000000004640000-0x0000000004680000-memory.dmp

memory/3016-656-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2920-658-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2864-673-0x0000000004B00000-0x0000000004EF8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42bb3c6a1fc94eba8edbe99a393d2a1e
SHA1 faca99d419bc4fa211fb607977241b1c6ab9380e
SHA256 3ee432bbc459d15d82a9c9baf7444f5295c227eac7270197a6b3dc117bdd172a
SHA512 3aa909b3519cd56f5d5219ad23835c18efc172e7d32961340a369bd8d99cbbde946692043061d26a16a4622ad94a75e6940158e3fa9b2f298690ed7f56ccb285

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dde9f5620027f45af87e5d88fce51129
SHA1 4d5143c8d2d6ac2dcf5b2311145cc57f59d65374
SHA256 9bcd4f6acbbe4f4463f6506ee25b13c8449da40f3d439bc2f04e01b9f53733ea
SHA512 c1f59285b55c24440a225d4b32a74cd0c8902500452afda9c94293d79791ee5305b9069d88df16e57b7a2e1ce8b74aabd65f53830e5f0ff9a2407ba5c0b74055

memory/2652-746-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2864-747-0x0000000004F00000-0x00000000057EB000-memory.dmp

memory/3016-749-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1936-750-0x00000000744B0000-0x0000000074B9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 098355dd45c1bd20d4ad38122a294ad3
SHA1 34690337f109008d7862d64b7912e276c0468bdd
SHA256 be80109540cbb61123ca4996b769c29d1e8dfb041d7c6f4b70d1c366f5873094
SHA512 caf166adac895673fe51b3a05a9dc79e56e863b5d12f08e4bb488e11b5acbe03423311834d6bd7c9b93b6acfa9749a3500e10900631d7f90a2a62229a64b787d

memory/2864-769-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8630247acad824599831ca2aa32b3c0a
SHA1 8e3eda1622177314e24037b6f690af9ede9b03f2
SHA256 acc37a94e9ef2fa12a54a44ef2b52e01f695fa136e38b2959b1f4be78f05996b
SHA512 c757a44b032be7b8d113d07dc5aaad3a9f85421230d59dda604fa7156131af02bbf482971f7a55991f5bc67db034b2940c064ed11b9dfb6573a95376d9126923

memory/2864-804-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f64e491125c2c89d35fcfbc4a62a8d83
SHA1 c1045c410dc7f8504f128d135224dfd6e619d3a0
SHA256 f3e26f98e28638b7b38ffdcffa88050645c8cc6f7f3b998a7618c44a93d4d787
SHA512 d977bee7c6b8a2264d1f2dcaf7b4e2db56da86ecb79275b3878256b91fae24cdeb82e9cb889d1bf6f169b09a788b8ff978cc84f68184a1b6a6eea0c28e045888

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92cd81c966df3db0faea700707f520ec
SHA1 787b6d2787a558bea6687415420c163a32818d46
SHA256 1aa8fd976d02f6246bcd41cd14bcb1f3d97f95ec2b2f377cc0c6b3530e06b15a
SHA512 656cfe6714bd616b57d4ffb9b73f78bfb2ccdeff942b3384cb5a2c5d86aa7f0b20fc17d61a3ef3046195c4ec07e77c1b94dbe20be0b9c926ccf1734a909f4b41

memory/2160-896-0x0000000004750000-0x0000000004B48000-memory.dmp

memory/2864-897-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2160-908-0x0000000004750000-0x0000000004B48000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 208038280e1fa27795ee9a0e8bfaf3ea
SHA1 93496a245f849e69f0242f632ca5b0c814a6151f
SHA256 003234aa514f7ba0c27d6e634462c38880c0e0fcd6ba5a865bc14c54a6c898bf
SHA512 dd0cdc24c938aa79436e7f0c7747e41b315ccaef60836f226e7050596e493516531b60e44d3742db41abf6c98ca44614c8cd5a16038d65a352e6e0c11fbbc300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c1da9b6dff479411e195edfa46a8b352
SHA1 c7fa7c1f4bfc5e9c82a8807041582aa308604e16
SHA256 a97a37ec4aa7f128480484685467a83e3e0df3c7f86d4c26fd6b4948ab3f2978
SHA512 ba8df8fdb8e3cb8914270fce4e0cb875649fb5d2342b50a09e5522ffeea27ea2128b2589c5c2263489172d4da291308bc2701929e42fe2795d2986a2ff4b119a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17439de37a5408e997455f266f14fab3
SHA1 3fd6ca925c694a7e4cceef2e7ba9ae39224daf6a
SHA256 e4d867b427dce8afd1bf754a49afeace472c4ab833fa7f86da33b2d59db3aa1d
SHA512 fb13311572659036e1ab111a62ca3672f2626086f65544e83c7038d25df3a36e3ccd1be9266a465532ae8ef05419ef23232b6f3c94abef27e801c0d25de354ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5184c9a8792f589694d45dda80c31e22
SHA1 9d0694f31f825dfc5c0b0b834f3ad18b0ba116af
SHA256 54c4e95cd5889d3d64da72fa7487adce1422476b2d2ca8c53753e3cc97eebd68
SHA512 07f82bbfda82b8c935af5d8c0ec52ab562ee0b5eb5f661b2bac25efd03390041869397028c45b6c86881fd94a2afd410ebfa331335400f491a1ca472eba32b85

memory/2372-1100-0x0000000004A10000-0x0000000004E08000-memory.dmp

memory/2160-1101-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2372-1213-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04G0TJCH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2372-1251-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-19 04:57

Reported

2023-10-19 05:10

Platform

win10-20230915-en

Max time kernel

300s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9898.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9140.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9336.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\954B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9B39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A4EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF6D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C308.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C413.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C7CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\C413.exe'\"" C:\Users\Admin\AppData\Local\Temp\C413.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9083.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4456 set thread context of 516 N/A C:\Users\Admin\AppData\Local\Temp\A4EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\learn.microsoft.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 50ddc30b4a02da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\Total = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 900a72ad9a15da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "404473559" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdoma = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 456914114a02da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "403854100" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSubd = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-844837608-3875958368-2945961404-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9431.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9A10.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9B39.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C308.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 2984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe
PID 4248 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 4248 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 4248 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe
PID 4100 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 4100 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 4100 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe
PID 3632 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 3632 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 3632 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe
PID 5016 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 5016 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 5016 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe
PID 5016 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 5016 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 5016 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe
PID 3632 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 3632 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 3632 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe
PID 4100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 4100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 4100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe
PID 3172 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 3172 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 3172 wrote to memory of 1816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9083.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\9083.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe
PID 3172 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9140.exe
PID 3172 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9140.exe
PID 3172 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\Temp\9140.exe
PID 2020 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe
PID 2020 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe
PID 2020 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe
PID 3172 wrote to memory of 2204 N/A N/A C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 2204 N/A N/A C:\Windows\system32\cmd.exe
PID 3980 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe
PID 3980 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe
PID 3980 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe
PID 3172 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\9336.exe
PID 3172 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\9336.exe
PID 3172 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Temp\9336.exe
PID 964 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe
PID 964 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe
PID 964 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe
PID 3172 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\9431.exe
PID 3172 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\9431.exe
PID 3172 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\9431.exe
PID 432 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe
PID 432 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe
PID 432 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe
PID 3172 wrote to memory of 4216 N/A N/A C:\Users\Admin\AppData\Local\Temp\954B.exe
PID 3172 wrote to memory of 4216 N/A N/A C:\Users\Admin\AppData\Local\Temp\954B.exe
PID 3172 wrote to memory of 4216 N/A N/A C:\Users\Admin\AppData\Local\Temp\954B.exe
PID 432 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe
PID 432 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe
PID 432 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe
PID 3172 wrote to memory of 3476 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 3172 wrote to memory of 3476 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 3172 wrote to memory of 3476 N/A N/A C:\Users\Admin\AppData\Local\Temp\9898.exe
PID 4216 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\954B.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4216 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\954B.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe

"C:\Users\Admin\AppData\Local\Temp\78840cd773186b45404a65332d89f4cd4bf5022bb01b979f5ccbee4cd65f3b39.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

C:\Users\Admin\AppData\Local\Temp\9083.exe

C:\Users\Admin\AppData\Local\Temp\9083.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

C:\Users\Admin\AppData\Local\Temp\9140.exe

C:\Users\Admin\AppData\Local\Temp\9140.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9279.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

C:\Users\Admin\AppData\Local\Temp\9336.exe

C:\Users\Admin\AppData\Local\Temp\9336.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

C:\Users\Admin\AppData\Local\Temp\9431.exe

C:\Users\Admin\AppData\Local\Temp\9431.exe

C:\Users\Admin\AppData\Local\Temp\954B.exe

C:\Users\Admin\AppData\Local\Temp\954B.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

C:\Users\Admin\AppData\Local\Temp\9898.exe

C:\Users\Admin\AppData\Local\Temp\9898.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\9A10.exe

C:\Users\Admin\AppData\Local\Temp\9A10.exe

C:\Users\Admin\AppData\Local\Temp\9B39.exe

C:\Users\Admin\AppData\Local\Temp\9B39.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\A4EF.exe

C:\Users\Admin\AppData\Local\Temp\A4EF.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\BF6D.exe

C:\Users\Admin\AppData\Local\Temp\BF6D.exe

C:\Users\Admin\AppData\Local\Temp\C308.exe

C:\Users\Admin\AppData\Local\Temp\C308.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C413.exe

C:\Users\Admin\AppData\Local\Temp\C413.exe

C:\Users\Admin\AppData\Local\Temp\C7CD.exe

C:\Users\Admin\AppData\Local\Temp\C7CD.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.2.0.3.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 api.ip.sb udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 h2o.activebuy.top udp
FI 95.217.243.178:8443 h2o.activebuy.top tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 178.243.217.95.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 accounts.google.com udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 254.7.248.8.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 10.5.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 157.240.5.35:443 facebook.com tcp
US 157.240.5.35:443 facebook.com tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 fbcdn.net udp
US 157.240.5.35:443 fbcdn.net tcp
US 157.240.5.35:443 fbcdn.net tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 35.5.240.157.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 fbsbx.com udp
US 188.114.96.0:80 hellouts.fun tcp
US 157.240.5.35:443 fbsbx.com tcp
US 157.240.5.35:443 fbsbx.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 104.208.16.94:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 104.208.16.94:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 105.134.101.95.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 6b5fc6c7-9a44-4f5a-a47f-8489e41e8461.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LN2wp25.exe

MD5 8e7c0957ea65ee1f303a9a92913c762c
SHA1 65b905864566f9679e654728a1c38924ef5ae6e3
SHA256 76e24bef00f8d294cc39fee9a10afcc1fe25455eec5a8fc236f77a505e31dfd4
SHA512 d5dcd6b237ce1c34dfef08c795b6e7e763fdfdbdd9fbb660038e39448490b1745ad3e1431f13214e238cf6d6c7e0e5dc821d3c5458726bc71f93975c93e3cd91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WR4Qa69.exe

MD5 a80ac681e56556319517c35671ba272f
SHA1 8692ce8d09d75696a66405d96b8c1c37d113a2bd
SHA256 be63235867b1da2f8f3e30af410fba3943d4f08d6f5aedf7c9a7416bc9f75c2b
SHA512 633da122e23699b8c1aaf16e6cc639575fa889efb252396d7f174d36516f64f2deb51de1c0b90127609a09d5b79cb5e72806641e0190b07f7828a684f0017935

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL4VY64.exe

MD5 08e859e625ab899da7bb674f9512b872
SHA1 23c641c4fdda72344b6f1310b80c5614704ffa1f
SHA256 c9c5ec4980fd352bda39b182d003fa90a4082e6fca78296553020d3a16e871ec
SHA512 cee09458a365d9970147e327df9505deed1e664734df149f09ca446dcc1fb8580c161fa28123b976d456c3cc4f78e7ed6a21dbd8e918a644f039c0a06f408d70

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bw1xX00.exe

MD5 9601d2f0c6fb26b8545f1dca010d63a8
SHA1 54e6dbce7d8d19f7b802ae006030108485bdbcd6
SHA256 a0103548bafb70e5de4804dfeed7aaeb8520075dda1e9cd6dabc0a831285c15a
SHA512 6e5efe494279bbbdcbc2c4f0c3cc4fd999200e614a0951cbf7f8207c223715bdb0f680b235be242199e59578aa2b89e220948391b0056e7621e829c38baa4d0f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tq75Dd0.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/656-35-0x0000000000030000-0x000000000003A000-memory.dmp

memory/656-36-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/656-37-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/656-39-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yg0262.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/2612-45-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3ki22tZ.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/3172-47-0x0000000000E30000-0x0000000000E46000-memory.dmp

memory/2612-49-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4uI416uP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/4772-54-0x0000000000AB0000-0x0000000000AEE000-memory.dmp

memory/4772-55-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/4772-56-0x0000000007C80000-0x000000000817E000-memory.dmp

memory/4772-57-0x0000000007820000-0x00000000078B2000-memory.dmp

memory/4772-58-0x0000000007990000-0x000000000799A000-memory.dmp

memory/4772-59-0x0000000008790000-0x0000000008D96000-memory.dmp

memory/4772-60-0x0000000007B50000-0x0000000007C5A000-memory.dmp

memory/4772-61-0x0000000007A80000-0x0000000007A92000-memory.dmp

memory/4772-62-0x0000000007AE0000-0x0000000007B1E000-memory.dmp

memory/4772-63-0x0000000008180000-0x00000000081CB000-memory.dmp

memory/4772-64-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9083.exe

MD5 9534d3197913a4c8e0b61894af6a24ff
SHA1 2cb8b9dcb3030d4f7af73bc9d7f17933abdc0959
SHA256 3fb0cc82002d6ff83118a6b3ca7ef8b0b118e361aaf1ace619b1a342378b8959
SHA512 c414622384aa4b5e522339f30a76f81808a62093d255652cf74f116dfe13012f72bf292fe38f72b5260472205688d10750beab29c924f8f7276c0532232235fc

C:\Users\Admin\AppData\Local\Temp\9083.exe

MD5 9534d3197913a4c8e0b61894af6a24ff
SHA1 2cb8b9dcb3030d4f7af73bc9d7f17933abdc0959
SHA256 3fb0cc82002d6ff83118a6b3ca7ef8b0b118e361aaf1ace619b1a342378b8959
SHA512 c414622384aa4b5e522339f30a76f81808a62093d255652cf74f116dfe13012f72bf292fe38f72b5260472205688d10750beab29c924f8f7276c0532232235fc

C:\Users\Admin\AppData\Local\Temp\9140.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\9140.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\9140.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\No7uL2fR.exe

MD5 8d64f887f8a92a48a96268b9202465ba
SHA1 dd7b57359eee25598f22cb0e36ae2f71aaffaf9c
SHA256 3dede43429d299c4de5704a8d5851de30fcf1a745873e88830a1a77f01452c3a
SHA512 4193e5d336cf386a36f198614314f6707da384c97cc6f3f9474183587dd86b71b7e93d408a2eb73dbb6409214cdb48f1737626e277fd964de04c32b66e15b2bd

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Ne4zC4kb.exe

MD5 032d5f918f2b90071f8270c7c6549c22
SHA1 a3b6708b789cc2b16b34258c6dde3f296d32829a
SHA256 02eef1555d17f950b2a11361c0416a486affe79ff20c6e11c126939efe69e58b
SHA512 e099f146e3007deb7c84167cbbd08d89c94240749aacb71e84df7db41d54f2c4690edc980ba3b61389e73c17c5f4d94e1303f06152076119673ee26cf8d74c07

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4ma820Em.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ll4Kv0En.exe

MD5 f9cc1215566028b4fcce39bdaab36cf2
SHA1 09c99d5cdea2d9c6ca47fb148ede643df8a62e66
SHA256 b13ad2cdd432481dccfce4f59ab56ecf5cde942ba20ff9e444a6d1542eaf919e
SHA512 b14fc7dea089cd8453f48eacb42f35ffb7ff3ac18dba5ebf5fba840d18c7016353c2a8cd97d0ab6a56c89b5f329c31f99459ca8ea9ab336e84ac53c290e8ad87

C:\Users\Admin\AppData\Local\Temp\9336.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\9336.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

C:\Users\Admin\AppData\Local\Temp\9431.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\9431.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Yz70TH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/1712-118-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\zo1qA1YA.exe

MD5 cba6ebdf0505a8516794e7cd697f19d9
SHA1 a859e5303107806f5600d9fae61603e607842c44
SHA256 615a06fb3199ffd7d67cb4ac5e2e7e446a468e9f201a2ceaf1a0d0ab34a2913f
SHA512 85ce1f61ef98695e8ff636f7f51448c51eaf7072b0732b2e1535d29be00d862c528b1a40b8bb602b441ab3b64a3ae13d58a50b4973825509e110fce8cfa048d3

memory/2452-121-0x0000000002270000-0x0000000002290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\954B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2452-127-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/1712-128-0x0000000007910000-0x0000000007920000-memory.dmp

memory/2452-129-0x00000000049B0000-0x00000000049C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\954B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2452-132-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/2452-131-0x00000000049B0000-0x00000000049C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

MD5 298a32008ab379b18ee24ab703ad0aa0
SHA1 6dd8639ccefa9cf0ab1571e4dc526c4b91cc9d21
SHA256 16eb91f428943a9c7301eb839e93ee3f38ee5864ff2c3b6d62ef57f00ee2cf28
SHA512 bfefaa4bbef8d2fd8b96801b92d8bdcfa8bd2118ddfc8abc13a7c26cdfb0573c5d2d588981941c1f11af2eee2a6faca7c240fecf40ba8fb51989fc5d049c6b6b

C:\Users\Admin\AppData\Local\Temp\9279.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/2452-135-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2TJ045FG.exe

MD5 298a32008ab379b18ee24ab703ad0aa0
SHA1 6dd8639ccefa9cf0ab1571e4dc526c4b91cc9d21
SHA256 16eb91f428943a9c7301eb839e93ee3f38ee5864ff2c3b6d62ef57f00ee2cf28
SHA512 bfefaa4bbef8d2fd8b96801b92d8bdcfa8bd2118ddfc8abc13a7c26cdfb0573c5d2d588981941c1f11af2eee2a6faca7c240fecf40ba8fb51989fc5d049c6b6b

memory/2452-137-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-130-0x0000000004940000-0x000000000495E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9898.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/2452-145-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-140-0x0000000004940000-0x0000000004958000-memory.dmp

memory/4196-147-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/4196-146-0x0000000000130000-0x000000000016E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2452-158-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B39.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2452-165-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B39.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\9A10.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/2452-151-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-167-0x0000000004940000-0x0000000004958000-memory.dmp

memory/3888-169-0x0000000000370000-0x00000000003CA000-memory.dmp

memory/2452-171-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A10.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

C:\Users\Admin\AppData\Local\Temp\9898.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/4480-176-0x00000000003A0000-0x00000000003BE000-memory.dmp

memory/2452-178-0x0000000004940000-0x0000000004958000-memory.dmp

memory/4480-180-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2452-181-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-183-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-175-0x0000000004940000-0x0000000004958000-memory.dmp

memory/3888-184-0x0000000007350000-0x0000000007360000-memory.dmp

memory/3888-170-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2452-186-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-188-0x0000000004940000-0x0000000004958000-memory.dmp

memory/2452-192-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4EF.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/4480-196-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/3476-195-0x0000000002070000-0x00000000020CA000-memory.dmp

memory/3476-199-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2452-197-0x0000000004940000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4EF.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/3888-203-0x0000000007BC0000-0x0000000007C26000-memory.dmp

memory/1712-209-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2452-212-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2452-215-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/2452-217-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/4456-220-0x0000000000290000-0x00000000003AB000-memory.dmp

memory/516-219-0x0000000004800000-0x000000000483E000-memory.dmp

memory/2212-232-0x000001A188680000-0x000001A188690000-memory.dmp

memory/4456-234-0x0000000000290000-0x00000000003AB000-memory.dmp

memory/2452-237-0x00000000049B0000-0x00000000049C0000-memory.dmp

memory/4196-243-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/516-249-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/516-252-0x000000000B2D0000-0x000000000B2E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF6D.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

C:\Users\Admin\AppData\Local\Temp\BF6D.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/768-262-0x00000000002D0000-0x0000000000728000-memory.dmp

memory/3888-263-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C308.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/768-264-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C413.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\C413.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4480-281-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7CD.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\C7CD.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\C308.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3888-295-0x0000000007350000-0x0000000007360000-memory.dmp

memory/2016-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4480-297-0x0000000004C50000-0x0000000004C60000-memory.dmp

memory/768-294-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/2016-303-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/2016-304-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3888-311-0x0000000009240000-0x00000000092B6000-memory.dmp

memory/2452-305-0x0000000072CD0000-0x00000000733BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1056-314-0x0000000004C20000-0x000000000501A000-memory.dmp

memory/2016-315-0x0000000000A00000-0x0000000000A10000-memory.dmp

memory/3888-316-0x0000000009490000-0x0000000009652000-memory.dmp

memory/516-317-0x0000000072CD0000-0x00000000733BE000-memory.dmp

memory/3888-320-0x00000000093D0000-0x00000000093EE000-memory.dmp

memory/1056-319-0x0000000005020000-0x000000000590B000-memory.dmp

memory/3888-318-0x0000000009B90000-0x000000000A0BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4xdhwiv.lde.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\IL7RFJ9S\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 08f72a15d90b41631eb973d2ff60462e
SHA1 e2156ef36474f8c8f274124a3e45aa4a4b04b629
SHA256 cb0ec1107a0fe72fbf2ffbd9bd35a7d1333e73063c7b317f76a5cea89f86d3e9
SHA512 39328417833576b37af5a0a5f9789aec8620ac0540c5bce92acf6a498f6aeeec3bea7a551e0a42329a1dad3c1d64272e70e140cc8b0e233c82678f53c32d03e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQUFFG9F\tex-mml-chtml[1].js

MD5 2e00d51c98dbb338e81054f240e1deb2
SHA1 d33bac6b041064ae4330dcc2d958ebe4c28ebe58
SHA256 300480069078b5892d2363a2b65e2dfbbf30fe5c80f83edbfecf4610fd093862
SHA512 b6268d980ce9cb729c82dba22f04fd592952b2a1aab43079ca5330c68a86e72b0d232ce4070db893a5054ee5c68325c92c9f1a33f868d61ebb35129e74fc7ef9

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\hkjsbih\imagestore.dat

MD5 8bc31107607346cd0a5c70f27dd83a97
SHA1 982d26c104b48283c1a10f71cd4df889c74a5823
SHA256 a2d62ef4d0c49f8eeb2fc1087ab59688c2191df5df3699528f1f8a2bfb6fb1d8
SHA512 434204ea70a17591efba3cbf320506a8dedb32d6b9b1675bcbd4216ecf85abeda099af2a91c79b2f2f4065d5929ee44d82b143de99a57a3c4935745eb618a6bb

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\N3QGFW8D\favicon[1].ico

MD5 12e3dac858061d088023b2bd48e2fa96
SHA1 e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5
SHA256 90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21
SHA512 c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2SR1L369\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF93F9FD8E4357D470.TMP

MD5 801bec65142555898afae583a0b33aa3
SHA1 f1177f499e1e2d4a5bf5ed2bc55b0f16f2cb9661
SHA256 ed56f691aaa1908065dd72356c7f9632a82037eceefc6cacf1ef37befdb00ae3
SHA512 5c72b6d9cf837b99794e5359b98b44b2c5cff18d293688f6e5da7bb7825cecb0126679d5bef0cc6e9858281ba80eefb7241f7c403b53cfb08e493045d5ef1b03

C:\Windows\rss\csrss.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22