Analysis Overview
SHA256
7932899544025eb132921b174af481caf38caca73a162306f7dadc250c403c16
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
SectopRAT payload
DcRat
Glupteba payload
RedLine payload
RedLine
Glupteba
Amadey
SmokeLoader
Windows security bypass
SectopRAT
Modifies Windows Defender Real-time Protection settings
Modifies boot configuration data using bcdedit
Modifies Windows Firewall
Drops file in Drivers directory
Blocklisted process makes network request
Possible attempt to disable PatchGuard
Stops running service(s)
Downloads MZ/PE file
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
Windows security modification
.NET Reactor proctector
Reads user/profile data of local email clients
Checks installed software on the system
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of UnmapMainImage
Modifies system certificate store
Enumerates system info in registry
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-19 12:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-19 12:46
Reported
2023-10-19 12:48
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1954.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4F3E.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\529B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\529B.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\1047.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\5451.exe'\"" | C:\Users\Admin\AppData\Local\Temp\5451.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1212 set thread context of 3792 | N/A | C:\Windows\SysWOW64\cacls.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4108 set thread context of 5280 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 1816 set thread context of 4784 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 1816 set thread context of 920 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\529B.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\176F.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1C93.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1E1A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
C:\Users\Admin\AppData\Local\Temp\1047.exe
C:\Users\Admin\AppData\Local\Temp\1047.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
C:\Users\Admin\AppData\Local\Temp\10E4.exe
C:\Users\Admin\AppData\Local\Temp\10E4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\121E.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
C:\Users\Admin\AppData\Local\Temp\14FD.exe
C:\Users\Admin\AppData\Local\Temp\14FD.exe
C:\Users\Admin\AppData\Local\Temp\176F.exe
C:\Users\Admin\AppData\Local\Temp\176F.exe
C:\Users\Admin\AppData\Local\Temp\1954.exe
C:\Users\Admin\AppData\Local\Temp\1954.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\1BA7.exe
C:\Users\Admin\AppData\Local\Temp\1BA7.exe
C:\Users\Admin\AppData\Local\Temp\1C93.exe
C:\Users\Admin\AppData\Local\Temp\1C93.exe
C:\Users\Admin\AppData\Local\Temp\1E1A.exe
C:\Users\Admin\AppData\Local\Temp\1E1A.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\259D.exe
C:\Users\Admin\AppData\Local\Temp\259D.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\4F3E.exe
C:\Users\Admin\AppData\Local\Temp\4F3E.exe
C:\Users\Admin\AppData\Local\Temp\529B.exe
C:\Users\Admin\AppData\Local\Temp\529B.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1BA7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Users\Admin\AppData\Local\Temp\5451.exe
C:\Users\Admin\AppData\Local\Temp\5451.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\5656.exe
C:\Users\Admin\AppData\Local\Temp\5656.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4308 -ip 4308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 780
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1BA7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| US | 8.8.8.8:53 | 88.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.70.216.185.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| NL | 85.209.176.128:80 | tcp | |
| IT | 185.196.9.65:80 | tcp | |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.9.196.185.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| TR | 185.216.70.238:37515 | tcp | |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.70.216.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 10.5.240.157.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 157.240.5.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 157.240.5.35:443 | fbcdn.net | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 59.82.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | hellouts.fun | udp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| IE | 54.229.131.209:443 | mscom.demdex.net | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.131.229.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| NL | 85.209.176.128:80 | tcp | |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| US | 188.114.96.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19ce47db-c8dc-4249-81b1-f57f2afd7d63.uuid.realupdate.ru | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| NL | 85.209.176.128:80 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | server7.realupdate.ru | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| IN | 172.253.121.127:19302 | stun2.l.google.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 135.125.238.108:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| NL | 51.15.65.182:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 108.238.125.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.65.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server7.realupdate.ru | udp |
| BG | 185.82.216.96:443 | server7.realupdate.ru | tcp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 142.251.125.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | 127.125.251.142.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
memory/2920-35-0x00000000009D0000-0x00000000009DA000-memory.dmp
memory/2920-36-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/2920-37-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/2920-39-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/2164-45-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3160-47-0x0000000000D90000-0x0000000000DA6000-memory.dmp
memory/2164-48-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
memory/5024-55-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5024-54-0x0000000000020000-0x000000000005E000-memory.dmp
memory/5024-56-0x0000000007390000-0x0000000007934000-memory.dmp
memory/5024-57-0x0000000006E80000-0x0000000006F12000-memory.dmp
memory/5024-58-0x0000000004A10000-0x0000000004A20000-memory.dmp
memory/5024-59-0x0000000006E10000-0x0000000006E1A000-memory.dmp
memory/5024-60-0x0000000007F60000-0x0000000008578000-memory.dmp
memory/5024-61-0x0000000007940000-0x0000000007A4A000-memory.dmp
memory/5024-62-0x00000000071C0000-0x00000000071D2000-memory.dmp
memory/5024-63-0x0000000007220000-0x000000000725C000-memory.dmp
memory/5024-64-0x0000000007260000-0x00000000072AC000-memory.dmp
memory/5024-65-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5024-66-0x0000000004A10000-0x0000000004A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1047.exe
| MD5 | 44211efdc03e00718d0fea8e75e423a1 |
| SHA1 | 092bee66e07dd771fc86b444fe79fffa5c875336 |
| SHA256 | 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889 |
| SHA512 | f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a |
C:\Users\Admin\AppData\Local\Temp\1047.exe
| MD5 | 44211efdc03e00718d0fea8e75e423a1 |
| SHA1 | 092bee66e07dd771fc86b444fe79fffa5c875336 |
| SHA256 | 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889 |
| SHA512 | f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
C:\Users\Admin\AppData\Local\Temp\10E4.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\10E4.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\10E4.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4OV624Qt.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\121E.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\14FD.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\14FD.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
| MD5 | 6c2726b56d7324b9cee3e4aa7d481d99 |
| SHA1 | 3e417972b5b5f3ef473a2beea6e6596c774e603c |
| SHA256 | 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253 |
| SHA512 | 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
| MD5 | 6c2726b56d7324b9cee3e4aa7d481d99 |
| SHA1 | 3e417972b5b5f3ef473a2beea6e6596c774e603c |
| SHA256 | 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253 |
| SHA512 | 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6 |
memory/4864-122-0x0000000000B20000-0x0000000000B5E000-memory.dmp
memory/1000-121-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4864-123-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/1000-124-0x00000000073A0000-0x00000000073B0000-memory.dmp
memory/4864-125-0x0000000007AF0000-0x0000000007B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\176F.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
C:\Users\Admin\AppData\Local\Temp\176F.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/3628-131-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3628-132-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/3628-134-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/3628-136-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/3628-133-0x0000000004990000-0x00000000049AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1954.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\1954.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3628-130-0x0000000002170000-0x0000000002190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3628-142-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1BA7.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/3628-146-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3628-148-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3628-152-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C93.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
memory/3628-156-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3628-158-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1BA7.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/3628-163-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E1A.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
memory/3628-166-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C93.exe
| MD5 | 7f28547a6060699461824f75c96feaeb |
| SHA1 | 744195a7d3ef1aa32dcb99d15f73e26a20813259 |
| SHA256 | ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff |
| SHA512 | eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239 |
memory/5048-175-0x0000000000FF0000-0x000000000100E000-memory.dmp
memory/3628-173-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/4020-180-0x0000000000F00000-0x0000000000F5A000-memory.dmp
memory/3628-183-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/3628-186-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/1000-188-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3544-192-0x0000000000400000-0x0000000000470000-memory.dmp
memory/5048-195-0x0000000003320000-0x0000000003330000-memory.dmp
memory/4020-198-0x0000000005750000-0x0000000005760000-memory.dmp
memory/3628-205-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
memory/3544-191-0x00000000006D0000-0x000000000072A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3628-193-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/5048-182-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3628-178-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/4020-177-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E1A.exe
| MD5 | 20e21e63bb7a95492aec18de6aa85ab9 |
| SHA1 | 6cbf2079a42d86bf155c06c7ad5360c539c02b15 |
| SHA256 | 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17 |
| SHA512 | 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33 |
memory/3628-209-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259D.exe
| MD5 | a8eb605b301ac27461ce89d51a4d73ce |
| SHA1 | f3e2120787f20577963189b711567cc5d7b19d4e |
| SHA256 | 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61 |
| SHA512 | 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a |
memory/3628-213-0x0000000004990000-0x00000000049A8000-memory.dmp
memory/4864-208-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3628-215-0x0000000004990000-0x00000000049A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259D.exe
| MD5 | a8eb605b301ac27461ce89d51a4d73ce |
| SHA1 | f3e2120787f20577963189b711567cc5d7b19d4e |
| SHA256 | 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61 |
| SHA512 | 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a |
memory/1212-223-0x0000000000250000-0x000000000036B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
memory/4020-222-0x00000000088D0000-0x0000000008936000-memory.dmp
memory/3792-225-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3628-240-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/1212-239-0x0000000000250000-0x000000000036B000-memory.dmp
memory/3792-241-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3628-243-0x0000000004B60000-0x0000000004B70000-memory.dmp
memory/3628-242-0x0000000004B60000-0x0000000004B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
\??\pipe\LOCAL\crashpad_4360_OUCCJPBOEUIDOBKH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4864-234-0x0000000007AF0000-0x0000000007B00000-memory.dmp
memory/3628-246-0x0000000004B60000-0x0000000004B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 07264bc88b03952784228086acac27e8 |
| SHA1 | 06677d19cece17b2a28348251c4dc4d00f7fa9ce |
| SHA256 | 3fe27c996fbee0626664a597e82ecc045c75671636b05390e2ce54b9f11403bf |
| SHA512 | 083af26c2affe4a186a783545264ac714edf21ff1a1f808507ff5054a48904ce4b6b12a3082157ee005e805ce74419926923d87d4339b0ed92a28dae8dc02215 |
memory/4020-280-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5048-281-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4020-284-0x0000000009F40000-0x0000000009F90000-memory.dmp
memory/4020-285-0x000000000A010000-0x000000000A086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4020-287-0x000000000A270000-0x000000000A432000-memory.dmp
memory/4020-291-0x000000000A970000-0x000000000AE9C000-memory.dmp
memory/5048-292-0x0000000003320000-0x0000000003330000-memory.dmp
memory/4020-297-0x000000000A170000-0x000000000A18E000-memory.dmp
memory/4020-303-0x0000000005750000-0x0000000005760000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Temp\4F3E.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
C:\Users\Admin\AppData\Local\Temp\4F3E.exe
| MD5 | 85fb3b5dffede43c9eb9510b19e440b4 |
| SHA1 | 6623493bbc3dd0fb63b8b8740b22d682e91204b1 |
| SHA256 | 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a |
| SHA512 | af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40 |
memory/1464-315-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/3628-317-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/1464-316-0x0000000000870000-0x0000000001272000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 85ad0ae411cc92d29eb28be73fb9e678 |
| SHA1 | b6b0c1618c5dc0685dcca2222d0625e06a7c8bf0 |
| SHA256 | 9936207d25e6cb016a9b4ec1f9fa0b40f5669d1f606b419c94735e06423d2b18 |
| SHA512 | 58ff2ed697872fe01c11f3ffb2c729bb759139534265c64a80038c5ae73cda3d0e6b63cf930beff52cacc9c28339736dea414d6206291ec681639391b27bae85 |
C:\Users\Admin\AppData\Local\Temp\529B.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 16c2a9f4b2e1386aab0e353614a63f0d |
| SHA1 | 6edd3be593b653857e579cbd3db7aa7e1df3e30f |
| SHA256 | 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81 |
| SHA512 | aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06 |
C:\Users\Admin\AppData\Local\Temp\5451.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
memory/3792-360-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/4308-362-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4108-364-0x00000000006B0000-0x00000000007B0000-memory.dmp
memory/4108-366-0x00000000020C0000-0x00000000020C9000-memory.dmp
memory/4308-367-0x00000000001C0000-0x00000000001DE000-memory.dmp
memory/5280-363-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 00e93a09fd10108e2bc4507bda7302cb |
| SHA1 | 578dfa88d0d25caf48fd2cf6d44db38a109b6ee2 |
| SHA256 | 771d1ce9da906ed7d55d56863944ff4ae35cb3acd4b758996e31516f8b1d47de |
| SHA512 | b3e165986394eb93c6efd0868d45565a98032cf7162292fe072d8db67b1a0395cadad896e172f0b41f22ef438c5082e3d3061fe116e545ea793ccab88e5f75c1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 699e3636ed7444d9b47772e4446ccfc1 |
| SHA1 | db0459ca6ceeea2e87e0023a6b7ee06aeed6fded |
| SHA256 | 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a |
| SHA512 | d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/3160-439-0x0000000002D80000-0x0000000002D96000-memory.dmp
memory/5280-440-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e203500de24f55c758d73841a82f9f19 |
| SHA1 | e0c4880d86356b80b4239450d99f336cc77e07b4 |
| SHA256 | 9d47690912b8864f956723d122c4eaa26fd75b5732df96181d41e622b4c40e27 |
| SHA512 | a683290c9c58120abc48668e13e62e198e26eba09e3dd917ea04864742abaa8cf573a9765dc94aa04bbfc726979122bee43d544cd404977d7923b615ad0e04fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 13971bc59989b016beed4d0b4fad65bb |
| SHA1 | 127a044cb5113b139e36e287fe7910e25c1d0b7d |
| SHA256 | 2d0e9bff6856b566f2966430ecc6f849920199803f9efb63faaf8ee5135c82b6 |
| SHA512 | 07de5c65841e5215cb6ad51bd4f688be417527d7fa99574938f63a553a0308132d973b3c5ac600cf157ae546b72896bf9ae88b58d0c97b54e574661820964281 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcsrmiyu.dc2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4308-487-0x0000000004940000-0x0000000004970000-memory.dmp
memory/4308-488-0x0000000004970000-0x00000000049A0000-memory.dmp
memory/3592-494-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/5260-498-0x00007FF783AA0000-0x00007FF784041000-memory.dmp
memory/3592-555-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1940-577-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-19 12:46
Reported
2023-10-19 12:48
Platform
win7-20230831-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\24BC.exe'\"" | C:\Users\Admin\AppData\Local\Temp\24BC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\D76B.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 768 set thread context of 912 | N/A | C:\Users\Admin\AppData\Local\Temp\F86C.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1400 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 1116 set thread context of 2968 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 1116 set thread context of 2648 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231019124710.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E804.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\1C33.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\1C33.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\1C33.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\1C33.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DCEB.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EE4D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1C33.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
C:\Users\Admin\AppData\Local\Temp\D76B.exe
C:\Users\Admin\AppData\Local\Temp\D76B.exe
C:\Users\Admin\AppData\Local\Temp\D837.exe
C:\Users\Admin\AppData\Local\Temp\D837.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D9CD.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
C:\Users\Admin\AppData\Local\Temp\DAE7.exe
C:\Users\Admin\AppData\Local\Temp\DAE7.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
C:\Users\Admin\AppData\Local\Temp\DCEB.exe
C:\Users\Admin\AppData\Local\Temp\DCEB.exe
C:\Users\Admin\AppData\Local\Temp\DE43.exe
C:\Users\Admin\AppData\Local\Temp\DE43.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\E804.exe
C:\Users\Admin\AppData\Local\Temp\E804.exe
C:\Users\Admin\AppData\Local\Temp\EB21.exe
C:\Users\Admin\AppData\Local\Temp\EB21.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 524
C:\Users\Admin\AppData\Local\Temp\EE4D.exe
C:\Users\Admin\AppData\Local\Temp\EE4D.exe
C:\Users\Admin\AppData\Local\Temp\F86C.exe
C:\Users\Admin\AppData\Local\Temp\F86C.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {50E150EA-4FF7-462F-867E-220058A9D1CA} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\16F4.exe
C:\Users\Admin\AppData\Local\Temp\16F4.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1C33.exe
C:\Users\Admin\AppData\Local\Temp\1C33.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\24BC.exe
C:\Users\Admin\AppData\Local\Temp\24BC.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\2A49.exe
C:\Users\Admin\AppData\Local\Temp\2A49.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019124710.log C:\Windows\Logs\CBS\CbsPersist_20231019124710.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {8870F154-D933-439A-8FFD-45FF48D725CD} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| RU | 5.42.92.88:80 | 5.42.92.88 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| TR | 185.216.70.222:80 | 185.216.70.222 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| NL | 85.209.176.128:80 | tcp | |
| IT | 185.196.9.65:80 | tcp | |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| TR | 185.216.70.238:37515 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | h2o.activebuy.top | udp |
| MD | 37.221.65.143:8443 | h2o.activebuy.top | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | hellouts.fun | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| NL | 85.209.176.128:80 | tcp | |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | 4004202f-7530-4668-b7d9-9e3cb3794da2.uuid.realupdate.ru | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 188.114.97.0:80 | hellouts.fun | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server2.realupdate.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server2.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp | |
| BG | 185.82.216.96:443 | server2.realupdate.ru | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| FR | 212.47.253.124:14433 | xmr-eu1.nanopool.org | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 85.209.176.128:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
| MD5 | d5a936d1d615ac682aab5d4d3d75a57b |
| SHA1 | b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca |
| SHA256 | 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a |
| SHA512 | 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
| MD5 | 7dca51415048717af1e6c339810b6041 |
| SHA1 | 8d1b90135d143b5c9642bcc975610da6e72eabfa |
| SHA256 | 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a |
| SHA512 | a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
| MD5 | acd696ea33a76a935f848e545077ce09 |
| SHA1 | 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49 |
| SHA256 | d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77 |
| SHA512 | 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
| MD5 | 87806b756fa271f76d7c51f79456e601 |
| SHA1 | 417c64c45db6222cd34aea8cf11abe6a63559c89 |
| SHA256 | 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6 |
| SHA512 | 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
| MD5 | 22b50c95b39cbbdb00d5a4cd3d4886bd |
| SHA1 | db8326c4fad0064ce3020226e8556e7cce8ce04e |
| SHA256 | 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1 |
| SHA512 | d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac |
memory/2528-50-0x0000000000850000-0x000000000085A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/2764-58-0x00000000001A0000-0x00000000001A9000-memory.dmp
memory/2764-64-0x00000000001A0000-0x00000000001A9000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
| MD5 | 35a15fad3767597b01a20d75c3c6889a |
| SHA1 | eef19e2757667578f73c4b5720cf94c2ab6e60c8 |
| SHA256 | 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc |
| SHA512 | c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577 |
memory/2756-68-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1268-69-0x0000000002B60000-0x0000000002B76000-memory.dmp
memory/2756-70-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
memory/1560-79-0x00000000010A0000-0x00000000010DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D76B.exe
| MD5 | 44211efdc03e00718d0fea8e75e423a1 |
| SHA1 | 092bee66e07dd771fc86b444fe79fffa5c875336 |
| SHA256 | 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889 |
| SHA512 | f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a |
C:\Users\Admin\AppData\Local\Temp\D76B.exe
| MD5 | 44211efdc03e00718d0fea8e75e423a1 |
| SHA1 | 092bee66e07dd771fc86b444fe79fffa5c875336 |
| SHA256 | 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889 |
| SHA512 | f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a |
\Users\Admin\AppData\Local\Temp\D76B.exe
| MD5 | 44211efdc03e00718d0fea8e75e423a1 |
| SHA1 | 092bee66e07dd771fc86b444fe79fffa5c875336 |
| SHA256 | 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889 |
| SHA512 | f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a |
C:\Users\Admin\AppData\Local\Temp\D837.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\D837.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
| MD5 | f3ceb6311015a60b63fbcf853e4d8838 |
| SHA1 | 173bb30d9ca88329e0aed6c423ef6e49479fb545 |
| SHA256 | 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f |
| SHA512 | 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
| MD5 | b8480037a4d460dc883b32a0c4ed84c9 |
| SHA1 | 96d098132b54e2bb22074d87d07ae76934eda05e |
| SHA256 | 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901 |
| SHA512 | 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1 |
C:\Users\Admin\AppData\Local\Temp\D9CD.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4OV624Qt.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\D9CD.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
| MD5 | cce753efe2914e6ad4fb038e7132fd33 |
| SHA1 | 772ab798331195ec9534e1130fad551c60858339 |
| SHA256 | c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5 |
| SHA512 | 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
| MD5 | 099f99e3884ab3edc405aee89200d7f4 |
| SHA1 | 93e5cb16c9fb947af861e77ae739035706445fe3 |
| SHA256 | 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0 |
| SHA512 | e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22 |
C:\Users\Admin\AppData\Local\Temp\DAE7.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
C:\Users\Admin\AppData\Local\Temp\DAE7.exe
| MD5 | 8905918bd7e4f4aeda3a804d81f9ee40 |
| SHA1 | 3c488a81539116085a1c22df26085f798f7202c8 |
| SHA256 | 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde |
| SHA512 | 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56 |
memory/2812-151-0x0000000000B30000-0x0000000000B6E000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
| MD5 | 53e28e07671d832a65fbfe3aa38b6678 |
| SHA1 | 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1 |
| SHA256 | 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e |
| SHA512 | 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9 |
C:\Users\Admin\AppData\Local\Temp\DCEB.exe
| MD5 | 425e2a994509280a8c1e2812dfaad929 |
| SHA1 | 4d5eff2fb3835b761e2516a873b537cbaacea1fe |
| SHA256 | 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a |
| SHA512 | 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0 |
memory/1056-162-0x00000000004E0000-0x0000000000500000-memory.dmp
memory/1056-163-0x0000000001DB0000-0x0000000001DCE000-memory.dmp
memory/1056-165-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DE43.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1056-175-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-176-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/2812-173-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1056-179-0x0000000002140000-0x0000000002180000-memory.dmp
memory/1056-181-0x0000000002140000-0x0000000002180000-memory.dmp
memory/1056-183-0x0000000002140000-0x0000000002180000-memory.dmp
memory/1056-182-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
| MD5 | 6c2726b56d7324b9cee3e4aa7d481d99 |
| SHA1 | 3e417972b5b5f3ef473a2beea6e6596c774e603c |
| SHA256 | 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253 |
| SHA512 | 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6 |
memory/1056-188-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-178-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-191-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/2088-190-0x0000000001210000-0x000000000124E000-memory.dmp
memory/1056-193-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-195-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-200-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DE43.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1056-202-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-204-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-206-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-208-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-210-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-212-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/1056-214-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DE43.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1056-164-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E804.exe
| MD5 | b9fbf1ffd7f18fa178219df9e5a4d7f9 |
| SHA1 | be2d63df44dbbb754fc972e18adf9d56a1adcce4 |
| SHA256 | 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f |
| SHA512 | ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8 |
memory/2092-220-0x0000000000600000-0x000000000065A000-memory.dmp
memory/2092-223-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2092-225-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/3040-229-0x0000000000E10000-0x0000000000E2E000-memory.dmp
memory/3040-230-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/3040-231-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/2740-235-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/2740-236-0x0000000000260000-0x00000000002BA000-memory.dmp
memory/2812-237-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/2740-238-0x00000000002F0000-0x0000000000330000-memory.dmp
memory/1056-239-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1056-240-0x0000000002140000-0x0000000002180000-memory.dmp
memory/1056-241-0x0000000002140000-0x0000000002180000-memory.dmp
memory/1056-242-0x0000000002140000-0x0000000002180000-memory.dmp
memory/2812-246-0x00000000043A0000-0x00000000043E0000-memory.dmp
memory/768-247-0x0000000000300000-0x000000000041B000-memory.dmp
memory/912-248-0x0000000000400000-0x000000000043E000-memory.dmp
memory/912-250-0x0000000000400000-0x000000000043E000-memory.dmp
memory/912-254-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/768-256-0x0000000000300000-0x000000000041B000-memory.dmp
memory/912-258-0x0000000000400000-0x000000000043E000-memory.dmp
memory/912-257-0x0000000000400000-0x000000000043E000-memory.dmp
memory/912-259-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/912-260-0x0000000004B20000-0x0000000004B60000-memory.dmp
memory/2092-268-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/3040-269-0x0000000074780000-0x0000000074E6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab688.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar717.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/3040-297-0x00000000005D0000-0x0000000000610000-memory.dmp
memory/1056-298-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/2740-299-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/2740-300-0x00000000002F0000-0x0000000000330000-memory.dmp
memory/1592-305-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1592-304-0x0000000001260000-0x0000000001C62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | e5bbfaa96a70b5c2316d1befe5a1b85c |
| SHA1 | 399a478e94abf553332d11c18b9f88894ecaeabe |
| SHA256 | b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30 |
| SHA512 | bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0bce2fed456a72a2486b1d17621c88d6 |
| SHA1 | 4cbff382f76920526ec0bc81a05bfd372dd88229 |
| SHA256 | 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b |
| SHA512 | 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4 |
memory/900-321-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1400-319-0x0000000000250000-0x0000000000350000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C33.exe
| MD5 | 42d97769a8cfdfedac8e03f6903e076b |
| SHA1 | 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe |
| SHA256 | f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b |
| SHA512 | 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77 |
memory/900-329-0x0000000000400000-0x0000000000409000-memory.dmp
memory/908-327-0x0000000002730000-0x0000000002B28000-memory.dmp
memory/1400-328-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/912-330-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/900-332-0x0000000000400000-0x0000000000409000-memory.dmp
memory/912-334-0x0000000004B20000-0x0000000004B60000-memory.dmp
memory/1792-335-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-336-0x0000000000020000-0x000000000003E000-memory.dmp
memory/1792-340-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/908-341-0x0000000002B30000-0x000000000341B000-memory.dmp
memory/908-342-0x0000000002730000-0x0000000002B28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\24BC.exe
| MD5 | 395e28e36c665acf5f85f7c4c6363296 |
| SHA1 | cd96607e18326979de9de8d6f5bab2d4b176f9fb |
| SHA256 | 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa |
| SHA512 | 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de |
memory/1792-344-0x0000000004680000-0x00000000046C0000-memory.dmp
memory/1592-350-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/908-351-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2A49.exe
| MD5 | d5752c23e575b5a1a1cc20892462634a |
| SHA1 | 132e347a010ea0c809844a4d90bcc0414a11da3f |
| SHA256 | c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb |
| SHA512 | ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8 |
memory/1268-357-0x00000000040E0000-0x00000000040F6000-memory.dmp
memory/900-358-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1792-362-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-363-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1648-364-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/2740-365-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/908-366-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/908-368-0x0000000002B30000-0x000000000341B000-memory.dmp
memory/1792-370-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1648-372-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1648-384-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/912-385-0x0000000074780000-0x0000000074E6E000-memory.dmp
memory/1648-393-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/1648-394-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2500-395-0x0000000002640000-0x0000000002A38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JKJDDTWXXVLPR43FTSMA.temp
| MD5 | 70367d786d09101cb7391bb8d32b139e |
| SHA1 | b2517cf31e29c976f5bf9a7813576e21ab3abfaa |
| SHA256 | d3e9d1635dd11a5ab543585790d54d07ba514844fb70fb51e5d1092f202db8e0 |
| SHA512 | 213069d4700b3c95c7c8632ac6cbba938115fadc98832ad2262d5674c258e7efeb83666b1eca9eea6d545e452899e34f4a86e978a21368d42204c530200f2158 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |