Malware Analysis Report

2025-08-05 19:00

Sample ID 231019-pzl3psga2z
Target file.exe
SHA256 7932899544025eb132921b174af481caf38caca73a162306f7dadc250c403c16
Tags
amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7932899544025eb132921b174af481caf38caca73a162306f7dadc250c403c16

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

SectopRAT payload

DcRat

Glupteba payload

RedLine payload

RedLine

Glupteba

Amadey

SmokeLoader

Windows security bypass

SectopRAT

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Drops file in Drivers directory

Blocklisted process makes network request

Possible attempt to disable PatchGuard

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Executes dropped EXE

Windows security modification

.NET Reactor proctector

Reads user/profile data of local email clients

Checks installed software on the system

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of UnmapMainImage

Modifies system certificate store

Enumerates system info in registry

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-19 12:46

Reported

2023-10-19 12:48

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1954.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4F3E.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1047.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14FD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1954.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BA7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E1A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\SysWOW64\cacls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\529B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5451.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5656.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\529B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\529B.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\176F.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1047.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\5451.exe'\"" C:\Users\Admin\AppData\Local\Temp\5451.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1212 set thread context of 3792 N/A C:\Windows\SysWOW64\cacls.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4108 set thread context of 5280 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 1816 set thread context of 4784 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1816 set thread context of 920 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\529B.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\176F.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1C93.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1E1A.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3288 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 3288 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 3288 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 884 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 884 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 884 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 4672 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 4672 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 4672 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 1492 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 1492 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 1492 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 1068 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 1068 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 1068 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 1068 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 1068 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 1068 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 1492 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 1492 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 1492 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 4672 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 4672 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 4672 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 3160 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1047.exe
PID 3160 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1047.exe
PID 3160 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1047.exe
PID 3876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1047.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
PID 3876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1047.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
PID 3876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1047.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe
PID 3160 wrote to memory of 1156 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10E4.exe
PID 3160 wrote to memory of 1156 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10E4.exe
PID 3160 wrote to memory of 1156 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\10E4.exe
PID 3060 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
PID 3060 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
PID 3060 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe
PID 620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
PID 620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
PID 620 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe
PID 3160 wrote to memory of 4608 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3160 wrote to memory of 4608 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
PID 2152 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe
PID 3068 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
PID 3068 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
PID 3068 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe
PID 3160 wrote to memory of 1000 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\14FD.exe
PID 3160 wrote to memory of 1000 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\14FD.exe
PID 3160 wrote to memory of 1000 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\14FD.exe
PID 3068 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
PID 3068 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
PID 3068 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe
PID 3160 wrote to memory of 3628 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\176F.exe
PID 3160 wrote to memory of 3628 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\176F.exe
PID 3160 wrote to memory of 3628 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\176F.exe
PID 3160 wrote to memory of 4456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1954.exe
PID 3160 wrote to memory of 4456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1954.exe
PID 3160 wrote to memory of 4456 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1954.exe
PID 4608 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4608 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3160 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1BA7.exe
PID 3160 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1BA7.exe
PID 3160 wrote to memory of 3544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1BA7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

C:\Users\Admin\AppData\Local\Temp\1047.exe

C:\Users\Admin\AppData\Local\Temp\1047.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

C:\Users\Admin\AppData\Local\Temp\10E4.exe

C:\Users\Admin\AppData\Local\Temp\10E4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\121E.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

C:\Users\Admin\AppData\Local\Temp\14FD.exe

C:\Users\Admin\AppData\Local\Temp\14FD.exe

C:\Users\Admin\AppData\Local\Temp\176F.exe

C:\Users\Admin\AppData\Local\Temp\176F.exe

C:\Users\Admin\AppData\Local\Temp\1954.exe

C:\Users\Admin\AppData\Local\Temp\1954.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\1BA7.exe

C:\Users\Admin\AppData\Local\Temp\1BA7.exe

C:\Users\Admin\AppData\Local\Temp\1C93.exe

C:\Users\Admin\AppData\Local\Temp\1C93.exe

C:\Users\Admin\AppData\Local\Temp\1E1A.exe

C:\Users\Admin\AppData\Local\Temp\1E1A.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\259D.exe

C:\Users\Admin\AppData\Local\Temp\259D.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2660 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\4F3E.exe

C:\Users\Admin\AppData\Local\Temp\4F3E.exe

C:\Users\Admin\AppData\Local\Temp\529B.exe

C:\Users\Admin\AppData\Local\Temp\529B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1BA7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\5451.exe

C:\Users\Admin\AppData\Local\Temp\5451.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\5656.exe

C:\Users\Admin\AppData\Local\Temp\5656.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8603366911021583089,18066322505451976937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4308 -ip 4308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=1BA7.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bba946f8,0x7ff9bba94708,0x7ff9bba94718

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3569658969339383047,6238542760854703869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 10.5.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
US 157.240.5.35:443 facebook.com tcp
US 8.8.8.8:53 35.5.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
US 157.240.5.35:443 fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
IE 54.229.131.209:443 mscom.demdex.net tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 209.131.229.54.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
US 188.114.96.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 19ce47db-c8dc-4249-81b1-f57f2afd7d63.uuid.realupdate.ru udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server7.realupdate.ru udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 135.125.238.108:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 108.238.125.135.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 server7.realupdate.ru udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2920-35-0x00000000009D0000-0x00000000009DA000-memory.dmp

memory/2920-36-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/2920-37-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/2920-39-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2164-45-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3160-47-0x0000000000D90000-0x0000000000DA6000-memory.dmp

memory/2164-48-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/5024-55-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/5024-54-0x0000000000020000-0x000000000005E000-memory.dmp

memory/5024-56-0x0000000007390000-0x0000000007934000-memory.dmp

memory/5024-57-0x0000000006E80000-0x0000000006F12000-memory.dmp

memory/5024-58-0x0000000004A10000-0x0000000004A20000-memory.dmp

memory/5024-59-0x0000000006E10000-0x0000000006E1A000-memory.dmp

memory/5024-60-0x0000000007F60000-0x0000000008578000-memory.dmp

memory/5024-61-0x0000000007940000-0x0000000007A4A000-memory.dmp

memory/5024-62-0x00000000071C0000-0x00000000071D2000-memory.dmp

memory/5024-63-0x0000000007220000-0x000000000725C000-memory.dmp

memory/5024-64-0x0000000007260000-0x00000000072AC000-memory.dmp

memory/5024-65-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/5024-66-0x0000000004A10000-0x0000000004A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1047.exe

MD5 44211efdc03e00718d0fea8e75e423a1
SHA1 092bee66e07dd771fc86b444fe79fffa5c875336
SHA256 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889
SHA512 f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a

C:\Users\Admin\AppData\Local\Temp\1047.exe

MD5 44211efdc03e00718d0fea8e75e423a1
SHA1 092bee66e07dd771fc86b444fe79fffa5c875336
SHA256 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889
SHA512 f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

C:\Users\Admin\AppData\Local\Temp\10E4.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\10E4.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\10E4.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4OV624Qt.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\121E.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\14FD.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\14FD.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

MD5 6c2726b56d7324b9cee3e4aa7d481d99
SHA1 3e417972b5b5f3ef473a2beea6e6596c774e603c
SHA256 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253
SHA512 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

MD5 6c2726b56d7324b9cee3e4aa7d481d99
SHA1 3e417972b5b5f3ef473a2beea6e6596c774e603c
SHA256 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253
SHA512 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6

memory/4864-122-0x0000000000B20000-0x0000000000B5E000-memory.dmp

memory/1000-121-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4864-123-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1000-124-0x00000000073A0000-0x00000000073B0000-memory.dmp

memory/4864-125-0x0000000007AF0000-0x0000000007B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\176F.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\176F.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/3628-131-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3628-132-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/3628-134-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/3628-136-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/3628-133-0x0000000004990000-0x00000000049AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1954.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\1954.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3628-130-0x0000000002170000-0x0000000002190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3628-142-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BA7.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/3628-146-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/3628-148-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/3628-152-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C93.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/3628-156-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/3628-158-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BA7.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/3628-163-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E1A.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3628-166-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C93.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/5048-175-0x0000000000FF0000-0x000000000100E000-memory.dmp

memory/3628-173-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/4020-180-0x0000000000F00000-0x0000000000F5A000-memory.dmp

memory/3628-183-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/3628-186-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/1000-188-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3544-192-0x0000000000400000-0x0000000000470000-memory.dmp

memory/5048-195-0x0000000003320000-0x0000000003330000-memory.dmp

memory/4020-198-0x0000000005750000-0x0000000005760000-memory.dmp

memory/3628-205-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/3544-191-0x00000000006D0000-0x000000000072A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3628-193-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/5048-182-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3628-178-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/4020-177-0x0000000074620000-0x0000000074DD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1E1A.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/3628-209-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259D.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/3628-213-0x0000000004990000-0x00000000049A8000-memory.dmp

memory/4864-208-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3628-215-0x0000000004990000-0x00000000049A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259D.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/1212-223-0x0000000000250000-0x000000000036B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/4020-222-0x00000000088D0000-0x0000000008936000-memory.dmp

memory/3792-225-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3628-240-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1212-239-0x0000000000250000-0x000000000036B000-memory.dmp

memory/3792-241-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3628-243-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/3628-242-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_4360_OUCCJPBOEUIDOBKH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4864-234-0x0000000007AF0000-0x0000000007B00000-memory.dmp

memory/3628-246-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 07264bc88b03952784228086acac27e8
SHA1 06677d19cece17b2a28348251c4dc4d00f7fa9ce
SHA256 3fe27c996fbee0626664a597e82ecc045c75671636b05390e2ce54b9f11403bf
SHA512 083af26c2affe4a186a783545264ac714edf21ff1a1f808507ff5054a48904ce4b6b12a3082157ee005e805ce74419926923d87d4339b0ed92a28dae8dc02215

memory/4020-280-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/5048-281-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4020-284-0x0000000009F40000-0x0000000009F90000-memory.dmp

memory/4020-285-0x000000000A010000-0x000000000A086000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4020-287-0x000000000A270000-0x000000000A432000-memory.dmp

memory/4020-291-0x000000000A970000-0x000000000AE9C000-memory.dmp

memory/5048-292-0x0000000003320000-0x0000000003330000-memory.dmp

memory/4020-297-0x000000000A170000-0x000000000A18E000-memory.dmp

memory/4020-303-0x0000000005750000-0x0000000005760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\4F3E.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

C:\Users\Admin\AppData\Local\Temp\4F3E.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

memory/1464-315-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/3628-317-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/1464-316-0x0000000000870000-0x0000000001272000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 85ad0ae411cc92d29eb28be73fb9e678
SHA1 b6b0c1618c5dc0685dcca2222d0625e06a7c8bf0
SHA256 9936207d25e6cb016a9b4ec1f9fa0b40f5669d1f606b419c94735e06423d2b18
SHA512 58ff2ed697872fe01c11f3ffb2c729bb759139534265c64a80038c5ae73cda3d0e6b63cf930beff52cacc9c28339736dea414d6206291ec681639391b27bae85

C:\Users\Admin\AppData\Local\Temp\529B.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\5451.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

memory/3792-360-0x0000000074620000-0x0000000074DD0000-memory.dmp

memory/4308-362-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4108-364-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/4108-366-0x00000000020C0000-0x00000000020C9000-memory.dmp

memory/4308-367-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/5280-363-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00e93a09fd10108e2bc4507bda7302cb
SHA1 578dfa88d0d25caf48fd2cf6d44db38a109b6ee2
SHA256 771d1ce9da906ed7d55d56863944ff4ae35cb3acd4b758996e31516f8b1d47de
SHA512 b3e165986394eb93c6efd0868d45565a98032cf7162292fe072d8db67b1a0395cadad896e172f0b41f22ef438c5082e3d3061fe116e545ea793ccab88e5f75c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3160-439-0x0000000002D80000-0x0000000002D96000-memory.dmp

memory/5280-440-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e203500de24f55c758d73841a82f9f19
SHA1 e0c4880d86356b80b4239450d99f336cc77e07b4
SHA256 9d47690912b8864f956723d122c4eaa26fd75b5732df96181d41e622b4c40e27
SHA512 a683290c9c58120abc48668e13e62e198e26eba09e3dd917ea04864742abaa8cf573a9765dc94aa04bbfc726979122bee43d544cd404977d7923b615ad0e04fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 13971bc59989b016beed4d0b4fad65bb
SHA1 127a044cb5113b139e36e287fe7910e25c1d0b7d
SHA256 2d0e9bff6856b566f2966430ecc6f849920199803f9efb63faaf8ee5135c82b6
SHA512 07de5c65841e5215cb6ad51bd4f688be417527d7fa99574938f63a553a0308132d973b3c5ac600cf157ae546b72896bf9ae88b58d0c97b54e574661820964281

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dcsrmiyu.dc2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4308-487-0x0000000004940000-0x0000000004970000-memory.dmp

memory/4308-488-0x0000000004970000-0x00000000049A0000-memory.dmp

memory/3592-494-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5260-498-0x00007FF783AA0000-0x00007FF784041000-memory.dmp

memory/3592-555-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1940-577-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 12:46

Reported

2023-10-19 12:48

Platform

win7-20230831-en

Max time kernel

144s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D76B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D837.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DAE7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E804.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EB21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EE4D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F86C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D76B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D76B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E804.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E804.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16F4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\24BC.exe'\"" C:\Users\Admin\AppData\Local\Temp\24BC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D76B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231019124710.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E804.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DCEB.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EB21.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE4D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1C33.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2720 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2624 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2764 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2764 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D76B.exe
PID 1268 wrote to memory of 472 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D837.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

C:\Users\Admin\AppData\Local\Temp\D76B.exe

C:\Users\Admin\AppData\Local\Temp\D76B.exe

C:\Users\Admin\AppData\Local\Temp\D837.exe

C:\Users\Admin\AppData\Local\Temp\D837.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\D9CD.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

C:\Users\Admin\AppData\Local\Temp\DCEB.exe

C:\Users\Admin\AppData\Local\Temp\DCEB.exe

C:\Users\Admin\AppData\Local\Temp\DE43.exe

C:\Users\Admin\AppData\Local\Temp\DE43.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\E804.exe

C:\Users\Admin\AppData\Local\Temp\E804.exe

C:\Users\Admin\AppData\Local\Temp\EB21.exe

C:\Users\Admin\AppData\Local\Temp\EB21.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 524

C:\Users\Admin\AppData\Local\Temp\EE4D.exe

C:\Users\Admin\AppData\Local\Temp\EE4D.exe

C:\Users\Admin\AppData\Local\Temp\F86C.exe

C:\Users\Admin\AppData\Local\Temp\F86C.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {50E150EA-4FF7-462F-867E-220058A9D1CA} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\16F4.exe

C:\Users\Admin\AppData\Local\Temp\16F4.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1C33.exe

C:\Users\Admin\AppData\Local\Temp\1C33.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\24BC.exe

C:\Users\Admin\AppData\Local\Temp\24BC.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\2A49.exe

C:\Users\Admin\AppData\Local\Temp\2A49.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019124710.log C:\Windows\Logs\CBS\CbsPersist_20231019124710.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {8870F154-D933-439A-8FFD-45FF48D725CD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
FI 77.91.124.55:19071 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 h2o.activebuy.top udp
MD 37.221.65.143:8443 h2o.activebuy.top tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 4004202f-7530-4668-b7d9-9e3cb3794da2.uuid.realupdate.ru udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 188.114.97.0:80 hellouts.fun tcp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 server2.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server2.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
BG 185.82.216.96:443 server2.realupdate.ru tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yv9fE36.exe

MD5 d5a936d1d615ac682aab5d4d3d75a57b
SHA1 b3fb1d5bb8f19cc875c2b3f85eeabbb3bc936bca
SHA256 64c6c0f3bec77d6c2a6a638f9f042558e4b846390fa09d91d0374341d8aa289a
SHA512 2d2e592f9f7c07e218fc1955d9f355f6c3a127ada698bbb7fe491616582a8695958756e41945ba146eee811bc476b0609f8e916b0a13875df693b69210f4f358

\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

\Users\Admin\AppData\Local\Temp\IXP001.TMP\px9fs82.exe

MD5 7dca51415048717af1e6c339810b6041
SHA1 8d1b90135d143b5c9642bcc975610da6e72eabfa
SHA256 0fe4e1a43ecc72d9acd30183f493d623d17afdf6aef74da254130c74a0eb538a
SHA512 a2026453920ea5405ebf46b631e29581f057fb4e8ba27df97762670ad40782cdec629fc46363d81d74f99fbd4e2b99cea66720ba1463ab65d7a4601b4b844186

\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

\Users\Admin\AppData\Local\Temp\IXP002.TMP\hl2Gs21.exe

MD5 acd696ea33a76a935f848e545077ce09
SHA1 7aee9fce363bab6d3ad5286ab1fd67e3f529fb49
SHA256 d880bac12fa2c6fecec1bc8d8fb916317737830256dad39aa22dd85b57aacc77
SHA512 73d872eb94472cf88dfa5f6ac853c1ab27516d892e314470cd038629e279ea7c83e0c6aff5869d0b9de9b86b82f97a0086ce41a8349e31757a19889d1b0aedb8

\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

\Users\Admin\AppData\Local\Temp\IXP003.TMP\dS1dg79.exe

MD5 87806b756fa271f76d7c51f79456e601
SHA1 417c64c45db6222cd34aea8cf11abe6a63559c89
SHA256 92c450026e0529747d7071c1313a5ddece56e6f94c9d657cd3e013d82c2eb8b6
SHA512 6af27c5d363357998288f32c51e4a276d36509cd64445a57b68fd4c391329b036ce681d732ef6ad68f3422aae20c7f6973e3ca01e9b0a8a24f11d6d193885669

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UJ48YU8.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2528-50-0x0000000000850000-0x000000000085A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2bu9548.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2764-58-0x00000000001A0000-0x00000000001A9000-memory.dmp

memory/2764-64-0x00000000001A0000-0x00000000001A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3YC90gc.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2756-68-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1268-69-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/2756-70-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4wr323vP.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/1560-79-0x00000000010A0000-0x00000000010DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D76B.exe

MD5 44211efdc03e00718d0fea8e75e423a1
SHA1 092bee66e07dd771fc86b444fe79fffa5c875336
SHA256 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889
SHA512 f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a

C:\Users\Admin\AppData\Local\Temp\D76B.exe

MD5 44211efdc03e00718d0fea8e75e423a1
SHA1 092bee66e07dd771fc86b444fe79fffa5c875336
SHA256 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889
SHA512 f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a

\Users\Admin\AppData\Local\Temp\D76B.exe

MD5 44211efdc03e00718d0fea8e75e423a1
SHA1 092bee66e07dd771fc86b444fe79fffa5c875336
SHA256 8c2f2e4bedf6d22bf1951428a0758c62fcba09b5e97253eb906b82d992549889
SHA512 f1d589a500783e039b545ed205e7d06196e986ff745580e87eebaabec39892ca7cc382ae71b16cd5fc3c67e0b3f31510214f518b4b42e5162edc44996d77c42a

C:\Users\Admin\AppData\Local\Temp\D837.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\D837.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ot7lp4Au.exe

MD5 f3ceb6311015a60b63fbcf853e4d8838
SHA1 173bb30d9ca88329e0aed6c423ef6e49479fb545
SHA256 598178b458a348f2b95c33648dfc20099c4eed047db4fb09b1cad2c4fc65d16f
SHA512 63383b8fad0074082980e75e5b3f4c1dc8b4273cebaae7d9b1019eac068ad959b30759a7640a70267dde9e7ec43cb2bd93f17b6fd12ed3df6fef60bd85509bf4

\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JQ7Ua9KB.exe

MD5 b8480037a4d460dc883b32a0c4ed84c9
SHA1 96d098132b54e2bb22074d87d07ae76934eda05e
SHA256 97e685412c57ec82ef8ff3f6bd3ab019b15424dc7c79501bc4645d31a39e3901
SHA512 9cf0c4c7749ea632eeef09984c5003ccba8d3d7c5e3d4de818791b1c619db401a8b47c6c8ff763cb2c1d7dd2af57b9a877bf5aa49cab57282724153b293811e1

C:\Users\Admin\AppData\Local\Temp\D9CD.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4OV624Qt.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\D9CD.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cf9Lx6ma.exe

MD5 cce753efe2914e6ad4fb038e7132fd33
SHA1 772ab798331195ec9534e1130fad551c60858339
SHA256 c40b5cd18b1fc5463361caa997f4302eacf83870f4971a320c2ce454fbff6cb5
SHA512 6f2944ab6e03e9b4563667daa530563197be7f1f73a0dfdfc1ceff92f978f70af374bd35f156ca32fbaa63f04b68bc7946336bb4050513e8dc2360bd8ce484ea

\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\Sf8Bk8nM.exe

MD5 099f99e3884ab3edc405aee89200d7f4
SHA1 93e5cb16c9fb947af861e77ae739035706445fe3
SHA256 820072848482f8f5dcfc9e6ce137250e4e02ded72bd95ee0119e549edc290ce0
SHA512 e3b4ee447f36cf9e2ab405aa229c7ba8963ac2db9b78d12f706b6f69d3a512cae49687ba84f94de4d8a186146883438772a3dd07408d25194475880fdfa46f22

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\DAE7.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/2812-151-0x0000000000B30000-0x0000000000B6E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1JM22Iz8.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\DCEB.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

memory/1056-162-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/1056-163-0x0000000001DB0000-0x0000000001DCE000-memory.dmp

memory/1056-165-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE43.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1056-175-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-176-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/2812-173-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1056-179-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1056-181-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1056-183-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1056-182-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\2fp552no.exe

MD5 6c2726b56d7324b9cee3e4aa7d481d99
SHA1 3e417972b5b5f3ef473a2beea6e6596c774e603c
SHA256 5afd27015147648e6ff2be220d33c679c8e85f7b2a2dd600f562b07ce1069253
SHA512 3d76dfc6793db1ef026db0a7077a55db6376f000232e19a4fca45b69f13675ee699bfb4ea5eeb79e216ce5577453057a7c5959cab46c3d0dc30f2cfb15bb42a6

memory/1056-188-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-178-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-191-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/2088-190-0x0000000001210000-0x000000000124E000-memory.dmp

memory/1056-193-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-195-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-200-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE43.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1056-202-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-204-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-206-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-208-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-210-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-212-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

memory/1056-214-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE43.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1056-164-0x0000000001DB0000-0x0000000001DC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E804.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/2092-220-0x0000000000600000-0x000000000065A000-memory.dmp

memory/2092-223-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2092-225-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/3040-229-0x0000000000E10000-0x0000000000E2E000-memory.dmp

memory/3040-230-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/3040-231-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/2740-235-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/2740-236-0x0000000000260000-0x00000000002BA000-memory.dmp

memory/2812-237-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/2740-238-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/1056-239-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1056-240-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1056-241-0x0000000002140000-0x0000000002180000-memory.dmp

memory/1056-242-0x0000000002140000-0x0000000002180000-memory.dmp

memory/2812-246-0x00000000043A0000-0x00000000043E0000-memory.dmp

memory/768-247-0x0000000000300000-0x000000000041B000-memory.dmp

memory/912-248-0x0000000000400000-0x000000000043E000-memory.dmp

memory/912-250-0x0000000000400000-0x000000000043E000-memory.dmp

memory/912-254-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/768-256-0x0000000000300000-0x000000000041B000-memory.dmp

memory/912-258-0x0000000000400000-0x000000000043E000-memory.dmp

memory/912-257-0x0000000000400000-0x000000000043E000-memory.dmp

memory/912-259-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/912-260-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/2092-268-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/3040-269-0x0000000074780000-0x0000000074E6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab688.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar717.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/3040-297-0x00000000005D0000-0x0000000000610000-memory.dmp

memory/1056-298-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/2740-299-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/2740-300-0x00000000002F0000-0x0000000000330000-memory.dmp

memory/1592-305-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1592-304-0x0000000001260000-0x0000000001C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

memory/900-321-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1400-319-0x0000000000250000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C33.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/900-329-0x0000000000400000-0x0000000000409000-memory.dmp

memory/908-327-0x0000000002730000-0x0000000002B28000-memory.dmp

memory/1400-328-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/912-330-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/900-332-0x0000000000400000-0x0000000000409000-memory.dmp

memory/912-334-0x0000000004B20000-0x0000000004B60000-memory.dmp

memory/1792-335-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-336-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1792-340-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/908-341-0x0000000002B30000-0x000000000341B000-memory.dmp

memory/908-342-0x0000000002730000-0x0000000002B28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BC.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/1792-344-0x0000000004680000-0x00000000046C0000-memory.dmp

memory/1592-350-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/908-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A49.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/1268-357-0x00000000040E0000-0x00000000040F6000-memory.dmp

memory/900-358-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1792-362-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-363-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1648-364-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2740-365-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/908-366-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/908-368-0x0000000002B30000-0x000000000341B000-memory.dmp

memory/1792-370-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1648-372-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/1648-384-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/912-385-0x0000000074780000-0x0000000074E6E000-memory.dmp

memory/1648-393-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/1648-394-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2500-395-0x0000000002640000-0x0000000002A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JKJDDTWXXVLPR43FTSMA.temp

MD5 70367d786d09101cb7391bb8d32b139e
SHA1 b2517cf31e29c976f5bf9a7813576e21ab3abfaa
SHA256 d3e9d1635dd11a5ab543585790d54d07ba514844fb70fb51e5d1092f202db8e0
SHA512 213069d4700b3c95c7c8632ac6cbba938115fadc98832ad2262d5674c258e7efeb83666b1eca9eea6d545e452899e34f4a86e978a21368d42204c530200f2158

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09