Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-j548ksef25
Target 465a4fc83e3d108d9d82f27068f95144.exe
SHA256 90115f4a93ae665032878093eeed162b21d636201bf102cbb160720b8e28609e
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90115f4a93ae665032878093eeed162b21d636201bf102cbb160720b8e28609e

Threat Level: Known bad

The file 465a4fc83e3d108d9d82f27068f95144.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

SmokeLoader

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

Amadey

Windows security bypass

ZGRat

DcRat

RedLine

RedLine payload

Modifies Windows Defender Real-time Protection settings

Detect ZGRat V1

Raccoon

Raccoon Stealer payload

Glupteba payload

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Possible attempt to disable PatchGuard

Windows security modification

Loads dropped DLL

UPX packed file

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 08:16

Reported

2023-10-26 08:18

Platform

win7-20231020-en

Max time kernel

144s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C321.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C65E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C95C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CCC7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F5FB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AF2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\664D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C95C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1D99.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\F5FB.exe'\"" C:\Users\Admin\AppData\Local\Temp\F5FB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\C1F8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\CCC7.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231026081720.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C787.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CCC7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2204 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C1F8.exe
PID 1304 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C321.exe
PID 1304 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C321.exe
PID 1304 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C321.exe
PID 1304 wrote to memory of 2752 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C321.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 2764 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\C1F8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 1304 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 2820 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 1304 wrote to memory of 2812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C65E.exe
PID 1304 wrote to memory of 2812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C65E.exe
PID 1304 wrote to memory of 2812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C65E.exe
PID 1304 wrote to memory of 2812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C65E.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 2244 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 1304 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C787.exe
PID 1304 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C787.exe
PID 1304 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C787.exe
PID 1304 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C787.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1632 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1304 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C95C.exe
PID 1304 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C95C.exe
PID 1304 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C95C.exe
PID 1304 wrote to memory of 2484 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\C95C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe

"C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\C1F8.exe

C:\Users\Admin\AppData\Local\Temp\C1F8.exe

C:\Users\Admin\AppData\Local\Temp\C321.exe

C:\Users\Admin\AppData\Local\Temp\C321.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\C489.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

C:\Users\Admin\AppData\Local\Temp\C65E.exe

C:\Users\Admin\AppData\Local\Temp\C65E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

C:\Users\Admin\AppData\Local\Temp\C787.exe

C:\Users\Admin\AppData\Local\Temp\C787.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

C:\Users\Admin\AppData\Local\Temp\C95C.exe

C:\Users\Admin\AppData\Local\Temp\C95C.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

C:\Users\Admin\AppData\Local\Temp\CCC7.exe

C:\Users\Admin\AppData\Local\Temp\CCC7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

C:\Users\Admin\AppData\Local\Temp\F0DB.exe

C:\Users\Admin\AppData\Local\Temp\F0DB.exe

C:\Users\Admin\AppData\Local\Temp\F5FB.exe

C:\Users\Admin\AppData\Local\Temp\F5FB.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\AF2.exe

C:\Users\Admin\AppData\Local\Temp\AF2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 524

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {35704BCE-4AA7-4861-8355-F8B97FAA8CCD} S-1-5-21-2952504676-3105837840-1406404655-1000:URUOZWGF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1D99.exe

C:\Users\Admin\AppData\Local\Temp\1D99.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 256

C:\Users\Admin\AppData\Local\Temp\664D.exe

C:\Users\Admin\AppData\Local\Temp\664D.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231026081720.log C:\Windows\Logs\CBS\CbsPersist_20231026081720.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {9FFE95BC-1C3A-431C-A67F-A79E257E79FD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.239:42359 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.71:4341 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 66ec4e84-8635-46b1-ba32-9e6456f8b266.uuid.datadumpcloud.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 131.253.33.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server13.datadumpcloud.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 135.125.238.108:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server13.datadumpcloud.org udp
BG 185.82.216.104:443 server13.datadumpcloud.org tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2032-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2032-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2032-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2032-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2032-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1304-5-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/2032-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C1F8.exe

MD5 7b330787a922b9967075a77a51f249b9
SHA1 897b3f0c07e4dc5e9d73a1230db01f18030885f6
SHA256 63d241628b82da0c68bafb319cddb0fe55745c58be3e2bffa739150a57fbd155
SHA512 a8349f07ae89f64f2959322e3fb3ff86e0b2eab678730e630d05ca01bfae075711762828bf69b20c77ce6baf45b50aad4dfb99d2a38a8631416d29bb5a7abc4e

C:\Users\Admin\AppData\Local\Temp\C1F8.exe

MD5 7b330787a922b9967075a77a51f249b9
SHA1 897b3f0c07e4dc5e9d73a1230db01f18030885f6
SHA256 63d241628b82da0c68bafb319cddb0fe55745c58be3e2bffa739150a57fbd155
SHA512 a8349f07ae89f64f2959322e3fb3ff86e0b2eab678730e630d05ca01bfae075711762828bf69b20c77ce6baf45b50aad4dfb99d2a38a8631416d29bb5a7abc4e

C:\Users\Admin\AppData\Local\Temp\C321.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

\Users\Admin\AppData\Local\Temp\C1F8.exe

MD5 7b330787a922b9967075a77a51f249b9
SHA1 897b3f0c07e4dc5e9d73a1230db01f18030885f6
SHA256 63d241628b82da0c68bafb319cddb0fe55745c58be3e2bffa739150a57fbd155
SHA512 a8349f07ae89f64f2959322e3fb3ff86e0b2eab678730e630d05ca01bfae075711762828bf69b20c77ce6baf45b50aad4dfb99d2a38a8631416d29bb5a7abc4e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

C:\Users\Admin\AppData\Local\Temp\C489.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\C489.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\C65E.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\C65E.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

C:\Users\Admin\AppData\Local\Temp\C787.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

C:\Users\Admin\AppData\Local\Temp\C787.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Te9Wc79.exe

MD5 a0776f0709360266597ba2744a0a0b07
SHA1 7bad1ed3580fbbe68ce3695ff1aeab94fcb82a1e
SHA256 dc3cd0cac293bf997bf3be9de918efbac9b7ddf39eb226b0d12c657d657ffa5e
SHA512 674a24ce404db340677bf32ae344a939f4edf1ff12e5f51826e49d962196d6b7c095b8b6c8bafa458881d76ed32fcd802e15c8253a3ee848251d04cb1bafd44b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

C:\Users\Admin\AppData\Local\Temp\C95C.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\C95C.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

C:\Users\Admin\AppData\Local\Temp\C95C.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2836-100-0x0000000000910000-0x000000000091A000-memory.dmp

memory/2812-101-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2812-99-0x0000000000B10000-0x0000000000B4E000-memory.dmp

memory/2836-102-0x0000000074110000-0x00000000747FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

C:\Users\Admin\AppData\Local\Temp\CCC7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

C:\Users\Admin\AppData\Local\Temp\CCC7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2468-125-0x0000000000220000-0x000000000027A000-memory.dmp

memory/2468-124-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCC7.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

memory/2468-130-0x0000000074110000-0x00000000747FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2468-132-0x0000000007080000-0x00000000070C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

memory/2836-141-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2144-140-0x00000000013B0000-0x00000000013EE000-memory.dmp

memory/2812-136-0x0000000074110000-0x00000000747FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

C:\Users\Admin\AppData\Local\Temp\F0DB.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

C:\Users\Admin\AppData\Local\Temp\F0DB.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

memory/2404-147-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2404-148-0x00000000008D0000-0x00000000012B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5FB.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\F5FB.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2468-163-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/2836-167-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2468-168-0x0000000074110000-0x00000000747FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1492-182-0x0000000000320000-0x0000000000328000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\AF2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/1704-190-0x0000000000220000-0x000000000027A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/1580-199-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/1580-201-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1004-203-0x0000000000974000-0x0000000000987000-memory.dmp

memory/1004-204-0x0000000000220000-0x0000000000229000-memory.dmp

\Users\Admin\AppData\Local\Temp\AF2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/2212-207-0x00000000025F0000-0x00000000029E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Users\Admin\AppData\Local\Temp\AF2.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2404-211-0x0000000074110000-0x00000000747FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D99.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\1D99.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/1492-217-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/1704-218-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2100-219-0x0000000000D90000-0x0000000001170000-memory.dmp

memory/1580-220-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2212-221-0x00000000029F0000-0x00000000032DB000-memory.dmp

memory/2212-222-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2100-223-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2468-224-0x0000000007080000-0x00000000070C0000-memory.dmp

memory/2212-225-0x00000000025F0000-0x00000000029E8000-memory.dmp

memory/1704-226-0x0000000000400000-0x000000000047E000-memory.dmp

memory/2212-227-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1492-228-0x000000001AFB0000-0x000000001B030000-memory.dmp

memory/1304-229-0x0000000003DE0000-0x0000000003DF6000-memory.dmp

memory/1580-230-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2824-235-0x000000013F400000-0x000000013F9A1000-memory.dmp

memory/2212-236-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1492-237-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

memory/2100-238-0x00000000001E0000-0x00000000001EA000-memory.dmp

memory/2100-239-0x00000000001F0000-0x00000000001F8000-memory.dmp

memory/2212-240-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2100-241-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2100-242-0x0000000004F60000-0x00000000050F2000-memory.dmp

memory/1492-243-0x000000001AFB0000-0x000000001B030000-memory.dmp

memory/2100-248-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2100-250-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-249-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-251-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-252-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-247-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-253-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-255-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-254-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-256-0x0000000005550000-0x0000000005650000-memory.dmp

memory/2100-257-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2100-258-0x0000000004F20000-0x0000000004F60000-memory.dmp

memory/2312-259-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-260-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-262-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-261-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-263-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2312-265-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2312-268-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2100-270-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2312-272-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2212-274-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2468-276-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2212-288-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2308-289-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2308-290-0x0000000002690000-0x0000000002A88000-memory.dmp

memory/2308-291-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2020-298-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2020-297-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2020-299-0x000007FEEE590000-0x000007FEEEF2D000-memory.dmp

memory/1472-300-0x000000013F2F0000-0x000000013F656000-memory.dmp

memory/2020-302-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2020-301-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2020-303-0x0000000002780000-0x0000000002800000-memory.dmp

memory/2020-304-0x000007FEEE590000-0x000007FEEEF2D000-memory.dmp

memory/2020-305-0x0000000002780000-0x0000000002800000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DLHQEWERRB3M433EPGGN.temp

MD5 4d784841eaa32179b4db35d01cf151f0
SHA1 f488273ece6857b97d3756ef0a95b846f86867f8
SHA256 8e11825817ac60cb4cc597b840b4503ce6086cda76b6e0652fe58ff69370ec43
SHA512 e96d8bbeaa73a9334dae9dce9ba5737ec85a3bef93f774a2a1a06e3c7ce3047c3dc77cbdbb1a48ef9051ed6ce7d81ad720005cc1321ca15b115317965ddcaf04

memory/2916-311-0x000000001B000000-0x000000001B2E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/2824-327-0x000000013F400000-0x000000013F9A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/2308-341-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1636-345-0x0000000002770000-0x0000000002B68000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\CabB51E.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB5AE.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/1472-417-0x000000013F2F0000-0x000000013F656000-memory.dmp

memory/1636-421-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3008-425-0x00000000000F0000-0x000000000012E000-memory.dmp

memory/3008-427-0x00000000000F0000-0x000000000012E000-memory.dmp

memory/3008-428-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1472-429-0x000000013F2F0000-0x000000013F656000-memory.dmp

memory/3008-431-0x00000000000F0000-0x000000000012E000-memory.dmp

memory/3008-433-0x00000000000F0000-0x000000000012E000-memory.dmp

memory/844-436-0x000000013FCD0000-0x0000000140271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/1636-444-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

memory/1636-466-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3028-471-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-26 08:16

Reported

2023-10-26 08:19

Platform

win10v2004-20231023-en

Max time kernel

153s

Max time network

173s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\518B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6EC9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3236.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3B9E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4525.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\518B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\54C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6EC9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7245.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B00.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\93E8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E0E1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3236.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\7245.exe'\"" C:\Users\Admin\AppData\Local\Temp\7245.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Drive Tools\is-U31G5.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-8V6MG.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\Drive Tools\is-TB85P.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-L1NIS.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-4FAN8.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UTAVP.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\Lang\is-TUUMN.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-VLEJR.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-BQUMJ.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-IP1K5.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-P0S3D.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-302U7.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-0NOK5.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-QE3KI.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-A7MKN.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-U0L4J.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-F3PSU.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-0D60K.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UEAE2.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-391QM.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-17J4L.tmp C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\54C8.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4FD5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1620 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3196 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3236.exe
PID 3196 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3236.exe
PID 3196 wrote to memory of 3720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3236.exe
PID 3196 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3B9E.exe
PID 3196 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3B9E.exe
PID 3196 wrote to memory of 212 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3B9E.exe
PID 3720 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\3236.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 3720 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\3236.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 3720 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\3236.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe
PID 3196 wrote to memory of 436 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3196 wrote to memory of 436 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 4584 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 4584 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 4584 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe
PID 3196 wrote to memory of 4172 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4525.exe
PID 3196 wrote to memory of 4172 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4525.exe
PID 3196 wrote to memory of 4172 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4525.exe
PID 1376 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 1376 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 1376 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe
PID 3196 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4FD5.exe
PID 3196 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4FD5.exe
PID 3196 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4FD5.exe
PID 4580 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 4580 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 4580 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe
PID 1572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe
PID 1572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe
PID 1572 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe
PID 3196 wrote to memory of 532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\518B.exe
PID 3196 wrote to memory of 532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\518B.exe
PID 3196 wrote to memory of 532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\518B.exe
PID 436 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 436 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3196 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\54C8.exe
PID 3196 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\54C8.exe
PID 3196 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\54C8.exe
PID 3928 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 2112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 532 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\518B.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 532 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\518B.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 532 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\518B.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1316 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1316 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 436 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2176 wrote to memory of 3212 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4352 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 2012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3928 wrote to memory of 2012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe

"C:\Users\Admin\AppData\Local\Temp\465a4fc83e3d108d9d82f27068f95144.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\3236.exe

C:\Users\Admin\AppData\Local\Temp\3236.exe

C:\Users\Admin\AppData\Local\Temp\3B9E.exe

C:\Users\Admin\AppData\Local\Temp\3B9E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\436F.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

C:\Users\Admin\AppData\Local\Temp\4525.exe

C:\Users\Admin\AppData\Local\Temp\4525.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

C:\Users\Admin\AppData\Local\Temp\4FD5.exe

C:\Users\Admin\AppData\Local\Temp\4FD5.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\518B.exe

C:\Users\Admin\AppData\Local\Temp\518B.exe

C:\Users\Admin\AppData\Local\Temp\54C8.exe

C:\Users\Admin\AppData\Local\Temp\54C8.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaa56246f8,0x7ffaa5624708,0x7ffaa5624718

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa56246f8,0x7ffaa5624708,0x7ffaa5624718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3440 -ip 3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 784

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\6EC9.exe

C:\Users\Admin\AppData\Local\Temp\6EC9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3480 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,8943034187247012507,12759852252303814149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7245.exe

C:\Users\Admin\AppData\Local\Temp\7245.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3884 -ip 3884

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\7B00.exe

C:\Users\Admin\AppData\Local\Temp\7B00.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 540

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5212 -ip 5212

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 784

C:\Users\Admin\AppData\Local\Temp\93E8.exe

C:\Users\Admin\AppData\Local\Temp\93E8.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp" /SL5="$601DE,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16948067658036492375,12829956949461775861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1060 -ip 1060

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\E0E1.exe

C:\Users\Admin\AppData\Local\Temp\E0E1.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.86:19084 tcp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 9afc01a2-3e8e-4f13-b17f-05f93b95ae62.uuid.datadumpcloud.org udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
FI 77.91.124.86:19084 tcp

Files

memory/2208-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2208-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3196-2-0x0000000003330000-0x0000000003346000-memory.dmp

memory/2208-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3236.exe

MD5 7b330787a922b9967075a77a51f249b9
SHA1 897b3f0c07e4dc5e9d73a1230db01f18030885f6
SHA256 63d241628b82da0c68bafb319cddb0fe55745c58be3e2bffa739150a57fbd155
SHA512 a8349f07ae89f64f2959322e3fb3ff86e0b2eab678730e630d05ca01bfae075711762828bf69b20c77ce6baf45b50aad4dfb99d2a38a8631416d29bb5a7abc4e

C:\Users\Admin\AppData\Local\Temp\3236.exe

MD5 7b330787a922b9967075a77a51f249b9
SHA1 897b3f0c07e4dc5e9d73a1230db01f18030885f6
SHA256 63d241628b82da0c68bafb319cddb0fe55745c58be3e2bffa739150a57fbd155
SHA512 a8349f07ae89f64f2959322e3fb3ff86e0b2eab678730e630d05ca01bfae075711762828bf69b20c77ce6baf45b50aad4dfb99d2a38a8631416d29bb5a7abc4e

C:\Users\Admin\AppData\Local\Temp\3B9E.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\3B9E.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sm8zO5wH.exe

MD5 098656950922e686b08e0075c0d32fb1
SHA1 cac8b195032cc702651a2321159119d21b5a6bfa
SHA256 6f62dbd190e2cab62609f16c0ac22bb7f771844816072bc6eda1dd079707e461
SHA512 77280ef69bc7391d208e6467f2703e0fbc4c864ac2618bb4a2238f758734983a6133bd26bcd1fcb0d66013c2c3196d02fe3234ef4307b2de49978cebabb9b03f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ir2kl2Jl.exe

MD5 0a4de9ccb2344829a377246af96a60eb
SHA1 85902bc034aeb5376d63f64965ee0e33b78bc4d4
SHA256 0975f5f2eed6f8cd8e491a1ebea3b024cf721f2c2b8420b863704c804b87902f
SHA512 4917cf6b5d9ec6df29b9b8f3b0ef32822b6ae23af67663b4901fa5293ba35c74a55e92f19675f391389c1dadafa803353a241f7a3a4dafa894b9e0b6d51c35b0

C:\Users\Admin\AppData\Local\Temp\436F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\4525.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\4525.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YM4Ol9sz.exe

MD5 0fd1108be4eddc58cab732458f9b6656
SHA1 0dfa4478e6736a752ce39c28f5cb1fe35e299645
SHA256 076f74cc55caa6b6c0869114fb7bd00fe9f2073623d95d8f7a48d14a74cad2d5
SHA512 9380c65761cd1594c6e6714ed44dd62250f7460adf24d20f78941e511cca7f5c57c42d3d8bce720d6b9a7b0867806fc8c4b5db665124e20e4be581708eee4632

memory/4172-56-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rL0QD2kI.exe

MD5 b44d195a6af65c40e38016ebd9fa6b81
SHA1 24ef75dbe41d39f4d52d535b2befecde3ea059fd
SHA256 206e2fb69c032e0ed13fa62b5e74d17a08f28d8b86d33954e572a0393acc2dd2
SHA512 c497526b3e962ec4da228fbd000c566a470ef200297e2665a09d21b10b9e9d5f1e741be9d7c64a1430e1bc12aa8b451d76234cc825130b5335fb90a1ea79dd7d

memory/4172-57-0x0000000000960000-0x000000000099E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

memory/544-65-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1NJ83kK2.exe

MD5 f3705bd779ea6170793ef79e54c4e18f
SHA1 0abadbc9d1e2a499368523c86c2347156e7ffe8f
SHA256 187f3bfd0a25635c0e5d0d4ba78425c4f5516c5686344550caaaa13220da674c
SHA512 3ab21db34013611a721d8d9089beb6d75af0f1e48af9c81774c757c802338118132a4355227e3ad27663b3545ff40a3e08c7baf66299830e9c9173a28cb5576d

memory/544-54-0x0000000000630000-0x000000000063A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FD5.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\4FD5.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/4172-69-0x0000000007CF0000-0x0000000008294000-memory.dmp

memory/4172-70-0x0000000007820000-0x00000000078B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\518B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\518B.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4172-76-0x0000000007800000-0x0000000007810000-memory.dmp

memory/4172-80-0x00000000079D0000-0x00000000079DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54C8.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\54C8.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4172-93-0x0000000007B80000-0x0000000007C8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3440-95-0x0000000000400000-0x000000000047E000-memory.dmp

memory/4172-96-0x0000000007B10000-0x0000000007B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

memory/4172-94-0x0000000007AB0000-0x0000000007AC2000-memory.dmp

memory/4172-90-0x00000000088C0000-0x0000000008ED8000-memory.dmp

memory/4172-103-0x0000000007C90000-0x0000000007CDC000-memory.dmp

memory/3440-102-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/3440-107-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\54C8.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

C:\Users\Admin\AppData\Local\Temp\54C8.exe

MD5 329bce2e07f7898910e3fd4e17b98d42
SHA1 94d379a5964c97eefad6432608dd09b4ddb12b77
SHA256 3c78b3067a13c0c8980f0cc9cac0c8d5a2ac8400c259405eebb907f3f7da349e
SHA512 a3eaf12d4d6fffbae622ba50afef0eba19b24f25d3f6706abb5b4e8d7c05e3b0da6b2a4f0a0daa48d026ef4fc8205746cad90daff2d2a47edc7a90446649e7f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

\??\pipe\LOCAL\crashpad_3928_ESVYOFNPQUQIZVYG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\6EC9.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

C:\Users\Admin\AppData\Local\Temp\6EC9.exe

MD5 dd879217d6270ce10527c1f4752e2602
SHA1 9b95b9be2b977cf9b7f5b268e33b2a8abc438e3d
SHA256 a406a3c1474a57c62f3dbd56aa15d5d732e6a0fe8bbfd7bce9425b132204da8b
SHA512 897e72e251fdab2b4a1a2a0f33df3e5e3ab931620614527bf483b196505f87ebdddd884881aa21fbc661b72ca5157cb60e3b6d21ca04c526c099b5439e75648d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8f30b8232b170bdbc7d9c741c82c4a73
SHA1 9abfca17624e13728bd7fa6547e7e26e0695d411
SHA256 0916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512 587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be

memory/4172-139-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/1004-140-0x0000000000DE0000-0x00000000017C6000-memory.dmp

memory/1004-141-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 91f51b4309276333e6b68315a6f1fc1e
SHA1 3bdc19f54e765b42bac9634ff999e3d846b0f280
SHA256 85398af756b442265e3c0faa518222a689c460824ea7899c1bc42ec210390d08
SHA512 48ca688d7fc45d8136ed44f36192ac2cca1343207258bdaa64480246427e190f5377f08e6e366f135456231d6e354efa9a91a0727b49ce7d9a1844d64cba533d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef2ca9c16d5585d7b2de943e8f7c5d55
SHA1 2e044050e0341441ab947cdf1bd95ade6d5a18c4
SHA256 237073dfc72666f1a6317b7f9c2bdd9b023200b70aa9a915c79c21958f8ef985
SHA512 6d90d54d948d62ceb32cfdbd7f2e02844d679f1a430cdeb4786e1ba36f46ecaa6dc85f0efaa6782597485fd928eae3bdc15218b067df9d045c07cea6d2e821c0

C:\Users\Admin\AppData\Local\Temp\7245.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\7245.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/3884-166-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3884-167-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3884-177-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cm672QF.exe

MD5 067376a628e66226d09bf13e6199c23c
SHA1 60f2e807af25f4e1dd64bf1d2147ba698ff19c33
SHA256 4bdbebfa4e51279850142ad7845cb2304323205cba1b2bdfd39eeafa840bef5b
SHA512 c74b35969ce078ebed6310001066d9beb39402a7026f8a57254e8fbcc0eda2a982b3e566fb4a3771ea232c8f88f8b59f3922089dfa7ac7522729655e5d03636b

memory/2280-187-0x0000000000A30000-0x0000000000A6E000-memory.dmp

memory/544-186-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\7B00.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/544-200-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/4172-201-0x0000000007800000-0x0000000007810000-memory.dmp

memory/2280-202-0x0000000007A10000-0x0000000007A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/2280-195-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/3884-179-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B00.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5283cdd674c839582d319aabafaad58e
SHA1 04f113b8d35ed25942fcf11e830c3161004f5c18
SHA256 46e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512 f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/3440-251-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5212-245-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/5212-242-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3440-257-0x00000000732C0000-0x0000000073A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B00.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

C:\Users\Admin\AppData\Local\Temp\7B00.exe

MD5 8e4c82c39fdb3c524a81f62ded2d6c2e
SHA1 bde413f720af010f5c9d8f745d79be00c0fd3c1e
SHA256 be534d74fab71aae643e680faf16cc0d6150f8653afe3c7fc9f949ca7f2e48e7
SHA512 c88868cdc8f6c66e5fe0c1073ae394a03a20f5530de057e5fb604fef25754bf1bd26e70eba67b7cd610e50313bfc8190adb684b084b6d0dc1ac833a06d35edb2

memory/5620-263-0x0000000000120000-0x0000000000128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\93E8.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\93E8.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5620-290-0x00007FFAA1A50000-0x00007FFAA2511000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d3ff456991e19c9dd2b8494e6fdf0f0
SHA1 609cd8be17191422f4de630d75db962cb6617a12
SHA256 87a2b2b54282b750abe01844f59285b55dbe41e8790e812ce455fd11f22b03fa
SHA512 11ac4931a4f4c4ecae091e035c47ea211be0c512332efdd1d973ce0cb34109fbe1d5d07dd0c1db6ac89752160bc5a816f392d34af744c1ce6d8a54613275251d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4d1f0d9bfac03f5237d800cd61ed1133
SHA1 a8d2884e093ac24d23d48c804f617a0115fe697c
SHA256 2b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512 acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9

memory/5988-298-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5304-296-0x00000000022C0000-0x00000000022C9000-memory.dmp

memory/5304-294-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/5620-300-0x000000001ADB0000-0x000000001ADC0000-memory.dmp

memory/5212-299-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/5844-301-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/1004-293-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/5988-292-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5844-291-0x0000000005580000-0x000000000561C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4fdddbce76efb1539cc415cf55ed55a5
SHA1 24b1723986648e4637320319f812eb2e6cce856d
SHA256 e886378831b22c30e9c1be7affd144a475b23b69f98bd682352dd632c5a6206b
SHA512 8d54a10d295cdc0036493619e8473ac6ee57652267f0b8b283fc163b4728b19123c59cdbdf7a58f412782540a3205e36ed6764d49610b55c2d85465f82697873

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ef2ca9c16d5585d7b2de943e8f7c5d55
SHA1 2e044050e0341441ab947cdf1bd95ade6d5a18c4
SHA256 237073dfc72666f1a6317b7f9c2bdd9b023200b70aa9a915c79c21958f8ef985
SHA512 6d90d54d948d62ceb32cfdbd7f2e02844d679f1a430cdeb4786e1ba36f46ecaa6dc85f0efaa6782597485fd928eae3bdc15218b067df9d045c07cea6d2e821c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 0b8abe9b2d273da395ec7c5c0f376f32
SHA1 d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec
SHA256 3751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99
SHA512 3dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404

memory/5844-272-0x0000000000980000-0x0000000000D60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

\??\pipe\LOCAL\crashpad_2176_LRSXXZYOMQZSIEJA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5212-335-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5460-342-0x00000000028F0000-0x0000000002CF5000-memory.dmp

memory/5460-348-0x0000000002E00000-0x00000000036EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

memory/5460-349-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5676-355-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5620-357-0x00007FFAA1A50000-0x00007FFAA2511000-memory.dmp

memory/5676-359-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2280-360-0x0000000007A10000-0x0000000007A20000-memory.dmp

memory/5460-358-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 b81b2eb3482efa33317c20415beaf6a4
SHA1 34711c1bad47eb6b94c242473de396eb9362543e
SHA256 61bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512 e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b

memory/2280-352-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/3196-362-0x00000000032A0000-0x00000000032B6000-memory.dmp

memory/5988-363-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

C:\Users\Admin\AppData\Local\Temp\is-N1HT3.tmp\LzmwAqmV.tmp

MD5 e416b5593ef10377e8edc748ca6f2527
SHA1 d06fb79becff1bedd80f1b861449c8665af9aa67
SHA256 a7e400b62721851753ec6453e7eb3a5df4797149cfa1d3b0bf9db0a837863eb0
SHA512 8e44b491f86779ab5a6834da0639952be11d6ab598f392cee28ed5dabd71b3b15330d872620c1d0d858024e0e09d81ab0f9addbde82c1695de22d0bdf8f5be7c

memory/2008-384-0x0000000000650000-0x0000000000651000-memory.dmp

memory/5844-389-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/5864-398-0x00007FF750070000-0x00007FF750611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 422bd2d5b284fec362a630f98fb649b4
SHA1 0538ee199d8b8f4b7c3808de210e56a93eb6be1b
SHA256 f9e97b7e7dcc1eaef8b6bbf7ddc6946ee888ccfe96d023b2835eb0497669ecd4
SHA512 710d1d924e6a3cee0045584128768f5a4bd55cd4ca6e5e11bf8a8f36063d874c61fcd90e373cc645b438694d70d005886d65287717badb255d1bd2ecbb065502

memory/5844-403-0x00000000054F0000-0x00000000054FA000-memory.dmp

memory/5844-412-0x0000000005510000-0x0000000005518000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5844-421-0x0000000005700000-0x0000000005892000-memory.dmp

memory/5844-460-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/5460-461-0x00000000028F0000-0x0000000002CF5000-memory.dmp

memory/5844-470-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5844-476-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5844-477-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/4132-479-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5844-480-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

memory/1060-478-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4132-483-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5844-472-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5844-471-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/5844-484-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/1060-488-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5844-487-0x00000000732C0000-0x0000000073A70000-memory.dmp

memory/1060-494-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9c67f197c478cec9be558ce9b8e45802
SHA1 1dc747c58fb727064f4aa877995a591449d06fa6
SHA256 e7a40d77012d8e35e21a229c7d746ce5d885cc2247abe79906a1bc62f4309d40
SHA512 4c73b1507efd563621e67b1209daf55fa035821748b1bdf2d26ac1b68d840639dc97eb8e04e9c0e1807fd1f0fdb0186a47ed7dbc0ea0b3e71134fee43435e3f5

memory/5460-511-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5676-512-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a2dce61eb749555e007ab06fad0460ff
SHA1 6e887ef8200a09edcb2283ec3d8b9b7aef6a838a
SHA256 c5bab38fe9896f00e98471050674144e2538b14a1acf2484000388dc0a1fb81f
SHA512 2b8143b2aa6b8cec418f2218440ca6bf48c9ca86b64ad4e74208756a835ff4e1eccd3bd9df1b0901449d2e26a933b57be4b0f58f15edbec1f546ece28d66c759

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d6b4.TMP

MD5 63d8276487e2a3f19cf233683c925e66
SHA1 9a2328002e64c76864b669801f8c871e251f2b99
SHA256 ce6eb9718664e27991e88f7ea92c2caeb8d6ffde1e0e609ce424767117782a8b
SHA512 8dc1881c0696aae6597c0dbc393a8fcf3249866d2f945487d654bb5565e16fa4997e85157960b6d9efdab887427d268b0ad0a3384996564a152440c544b22b51

memory/2008-539-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1kkyppa.5vo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1720-565-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5460-567-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1220-574-0x00007FF739D90000-0x00007FF73A0F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67c83d6f3cda4ed17a928f5e86a37334
SHA1 8c580984eba89894559c85dd6bafe42d0b1fc44a
SHA256 79848bb5ef6f9ddffbbf08e4559484182cce8959288049d9044458876cba9aa5
SHA512 9810b7ae8face095493f4e73ee208c073e04e8e19d3eed828a711779ce445a0bfd666d889e0e3342d1b388a887e358044eafc1a81cb2510144553528a1a3a886

memory/1720-619-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5460-620-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2b3b21f1aa63b40c43375a1b670d8726
SHA1 72c4327411d621b9cbb71d4b46068af889ab80ff
SHA256 8e830f8678720e533820df30988e414e429a0334154349cfaa229d8cc09a3cdd
SHA512 480a186615fea01aa36c606b239dbe57bb8482acae69dc6e7e4d7669f7a9783ba7ab659ff58244dd137a4736cd33d9e71c6f769a2d2dfac0e75e421deb7d28e7

memory/5864-656-0x00007FF750070000-0x00007FF750611000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 568552b00f57b939a44054a3582adb7a
SHA1 0772d32025d4c1659c2bc9f71200c7d46ded876b
SHA256 d0641736b4ba6b42538b12183afa88cec64b1d433600273c7dacb00680b5ca68
SHA512 673247c22f151cff8eb38b9426142924a67a6ef8959136b507d79e66f1486a6225043b84df5be9f96237545263ef78e7bcf0a9db6b109550a2a4f24d7c0870d0

memory/1220-662-0x00007FF739D90000-0x00007FF73A0F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/1720-678-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5460-681-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5864-688-0x00007FF750070000-0x00007FF750611000-memory.dmp

memory/1220-693-0x00007FF739D90000-0x00007FF73A0F6000-memory.dmp

memory/1720-694-0x0000000000400000-0x0000000000636000-memory.dmp

memory/2088-710-0x00007FF6C6F30000-0x00007FF6C74D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9639071440fe9df09db5a3767bc647c0
SHA1 115061b4c5a4e558469c219130630df6ace891a2
SHA256 70572b8a135a5699da469b431dac13197c9ebad1b35a879ac6f9344ac505b5ce
SHA512 a351e0380eea5276e95193515cebef21806a8879326d6a3fe1c9d61c87fe9d197ec362dcc578f410a14444d5c7caad0ced62b122c9a2576bf592b368ea5c1f8b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 774312d2bbae9009cdc15bfeaf60824b
SHA1 93b91c9f820edf9cde578a22defc0d52f10655f4
SHA256 b7bf51fbe69667309a94c936d8bd979031584e8494e8d3c0c1bd05fdc131ef0d
SHA512 ee27da865d35a2c2a7a77cebfdd05ba13f06ba11190916ec9b871ca1d0a8832daacbbe5d18c5c91b6103ddc24ef19e98dd752877b8929860669f46d67a301a15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ba8f5ef37d5835e8bedc1b4376d391a9
SHA1 9396119ae6ac1a3a990ded036769358b0cbf50fd
SHA256 081d7457de985ffd5c51e0beb0685094e090bd5e59e186d1591102dabdbe344a
SHA512 76385898c1b82036b13eee9b4c05abe5405abd59b32953855448d63f7b919c35684abf69de0ac8c8e096031bbc48e4ba63ff9107392d43a182e69a446f0c6157