Malware Analysis Report

2024-10-18 22:29

Sample ID 241007-g9dkbavcnh
Target 2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497
SHA256 2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497
Tags
zloader botnet discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497

Threat Level: Known bad

The file 2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497 was found to be: Known bad.

Malicious Activity Summary

zloader botnet discovery persistence trojan

Zloader, Terdot, DELoader, ZeusSphinx

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 06:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 06:29

Reported

2024-10-07 06:33

Platform

win10v2004-20240802-en

Max time kernel

174s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe"

Signatures

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopCal = "C:\\Users\\Admin\\AppData\\Roaming\\CalendarTask\\desktopcal.exe" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\desktopcal.exe = "11001" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dkwebctrl.exe = "11001" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 2688 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe
PID 3060 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe
PID 3060 wrote to memory of 464 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe
PID 3060 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3060 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3068 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3932 wrote to memory of 380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe

"C:\Users\Admin\AppData\Local\Temp\2d9c9ba012ae8a50b79ef502e6c7dc05451eacf69c598c54c31c91b9c1623497.exe"

C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

"C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savelang.cht

C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

"C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe" -savestart

C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe

C:\Users\Admin\AppData\Roaming\CalendarTask\dkupdate.exe

C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe

"C:\Users\Admin\AppData\Roaming\CalendarTask\dkdockhost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://service1.xdiarys.com/api/jump/cht/1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8841246f8,0x7ff884124708,0x7ff884124718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4744148856478316120,8984590678950055598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" http://service1.xdiarys.com/api/jump/cht/1011

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8841246f8,0x7ff884124708,0x7ff884124718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18443914297251750076,11872391274916672624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\calendar-20241007-06.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 api-update1.xdiarys.com udp
HK 8.210.118.237:80 api-update1.xdiarys.com tcp
US 8.8.8.8:53 service1.xdiarys.com udp
US 8.8.8.8:53 install.xdiarys.com udp
HK 8.210.118.237:80 service1.xdiarys.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 237.118.210.8.in-addr.arpa udp
HK 8.210.118.237:80 service1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
US 8.8.8.8:53 download8.xdiarys.com udp
CN 47.92.228.218:80 install.xdiarys.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
HK 8.210.118.237:443 download8.xdiarys.com tcp
N/A 127.0.0.1:57149 tcp
N/A 127.0.0.1:57151 tcp
N/A 127.0.0.1:57155 tcp
N/A 127.0.0.1:57157 tcp
N/A 127.0.0.1:57159 tcp
N/A 127.0.0.1:57161 tcp
N/A 127.0.0.1:57192 tcp
N/A 127.0.0.1:57195 tcp
N/A 127.0.0.1:57220 tcp
N/A 127.0.0.1:57222 tcp
US 8.8.8.8:53 start.xdiarys.com udp
CN 47.92.228.218:80 start.xdiarys.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
N/A 127.0.0.1:57410 tcp
N/A 127.0.0.1:57412 tcp
US 8.8.8.8:53 analytics1.xdiarys.com udp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
US 8.8.8.8:53 77.81.210.8.in-addr.arpa udp
CN 47.92.228.218:80 start.xdiarys.com tcp
N/A 127.0.0.1:57416 tcp
N/A 127.0.0.1:57418 tcp
N/A 127.0.0.1:57421 tcp
N/A 127.0.0.1:57423 tcp
CN 47.92.228.218:80 start.xdiarys.com tcp
N/A 127.0.0.1:57426 tcp
N/A 127.0.0.1:57428 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:57433 tcp
N/A 127.0.0.1:57435 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
CN 47.92.228.218:80 start.xdiarys.com tcp
CN 47.92.228.218:80 start.xdiarys.com tcp
N/A 127.0.0.1:57439 tcp
N/A 127.0.0.1:57441 tcp
N/A 127.0.0.1:57444 tcp
N/A 127.0.0.1:57446 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:57449 tcp
N/A 127.0.0.1:57451 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:57456 tcp
N/A 127.0.0.1:57458 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
CN 47.92.228.218:80 start.xdiarys.com tcp
N/A 127.0.0.1:57462 tcp
N/A 127.0.0.1:57464 tcp
N/A 127.0.0.1:57468 tcp
N/A 127.0.0.1:57470 tcp
CN 47.92.228.218:80 start.xdiarys.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
US 8.8.8.8:53 service1.xdiarys.com udp
HK 8.210.118.237:80 service1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
N/A 127.0.0.1:57473 tcp
N/A 127.0.0.1:57475 tcp
US 8.8.8.8:53 www.xdiarys.com udp
GB 163.181.154.140:443 www.xdiarys.com tcp
US 8.8.8.8:53 hm.baidu.com udp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
US 8.8.8.8:53 140.154.181.163.in-addr.arpa udp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:61373 tcp
N/A 127.0.0.1:61375 tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
N/A 127.0.0.1:61418 tcp
N/A 127.0.0.1:61420 tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:61430 tcp
N/A 127.0.0.1:61432 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
HK 8.210.118.237:80 service1.xdiarys.com tcp
US 8.8.8.8:53 phone.xdiarys.com udp
GB 79.133.176.225:443 phone.xdiarys.com tcp
US 8.8.8.8:53 225.176.133.79.in-addr.arpa udp
GB 79.133.176.225:443 phone.xdiarys.com tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:64169 tcp
N/A 127.0.0.1:64171 tcp
N/A 127.0.0.1:64175 tcp
N/A 127.0.0.1:64177 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:64181 tcp
N/A 127.0.0.1:64183 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp
N/A 127.0.0.1:64187 tcp
N/A 127.0.0.1:64189 tcp
HK 8.210.81.77:80 analytics1.xdiarys.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\System.dll

MD5 959ea64598b9a3e494c00e8fa793be7e
SHA1 40f284a3b92c2f04b1038def79579d4b3d066ee0
SHA256 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b
SHA512 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

C:\Users\Admin\AppData\Local\Temp\dkcuninstall.dll

MD5 826fe2f255324f7ab00cc90d3f0747b6
SHA1 c7056ee14d12423422376fe950753ac599f5a6ca
SHA256 54d3b13339ab132e4d2a61ae5a272deb0aca8d9108ff19a9831f6c73da3fd289
SHA512 e4352cd497c8bc72cdadb6fe02e24a687d7e4989455e208d9bc437f9ef64f370fb8231fb749189e736a7a7146b54ed0c721f548bf000cbd4fb36b3426ae8b90b

memory/2688-10-0x0000000002420000-0x000000000243B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\nsSkinEngine.dll

MD5 eab7fd287509faec84e23cbdc1a709a8
SHA1 b6d659af538f7d57bd679e8c7626d470392c4429
SHA256 9702f538888f45fca67a1e2c2d7aa46fe42010c1aed5b0f34a51f989347ed9f0
SHA512 701f089f55bba49e0a9ba906fafce581693ccc99d445265ec1ea3794a4b5044f1011d90a9214c60dc0ed6be48f4fc4e9882ba07136268f7ebb0156e0b206d15d

memory/2688-39-0x0000000002440000-0x00000000024C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\LangDLL.dll

MD5 410a586735f45164c86bda363ad8446f
SHA1 a68d18a8c72ffaa8f8d9ed9f76ea9b0ed397821b
SHA256 b15b1fc88d1b56088b2d3738d76772a91fa186a316a3e0a154358820d0fb9005
SHA512 d12083f67df132b2be57c202601a0cf82dba4c234910e780d2723aac14ae68407b824405b04737b55104bc97750550a3271a944d647661b067ce134075e6cc2a

C:\Users\Admin\AppData\Local\Temp\dkc_close.png

MD5 e7a889b50ae9afefa73045ba670db165
SHA1 71202f829dfdea761fca99a6c1d7f76c2cd5a412
SHA256 2a9def0150983b2d7176b61146dd57d05a44e0f4452ac0574e309542f3d9782b
SHA512 12110fa84bd2282b4b805ee8c0958fbd73344c110a1ec8349a00155636453bfab3296a3f8fc07391ac72e9f45df47cae29c391e53448afc70bcb3344a4ce3584

C:\Users\Admin\AppData\Local\Temp\dkc_title.png

MD5 c36c136fcc7e375532f35078b3fb80ee
SHA1 0cf9ffb2d7fdea950e69e4b934982ba55bca8822
SHA256 1871548bca7e034c4022ee1041f0ebe1e215adb82a6a9566bcbfd0e57bc6e125
SHA512 3bd72b5f8279cf9a36a8bffe90781a1cab3160a932b82416d136d2de12b6de7c95e332cea2a76c5d1ee035704f483d835ef3b0b8617f84e5dafd36b4afff561e

C:\Users\Admin\AppData\Local\Temp\dkc_bottom.png

MD5 0f07fe3eec21fcdc8bf97bd865c6500b
SHA1 56da55b18d81d57a8d33c8514f0cd81789dd989a
SHA256 6f8cc3644f2095b33cbd5c31c4870d15ef04c9c7be0126e4e66d40e888eb964d
SHA512 701f8aa4bc18acb838d8997e94ee3c0df92af1c5dc7a41795b043119d1c4c6f278612d83ece496c6066192854d1da0477b0037fc7728263fa9b2bd3600b7f1b8

C:\Users\Admin\AppData\Local\Temp\dkc_onkeybutton.png

MD5 f49b9fcf13339ed99722f9976ce0f32d
SHA1 c9207f7626b923528c1acaf36390875718e2246d
SHA256 aa24761f9fa2596c6c51fc81adfce41424f1f8f8e7a0047653a62fc8137f3e6f
SHA512 07bee7f88af4ba24f772a401e6982f7bad85eada263ae04962cc205ac88cfb1a6672fd87e83eb3f650d12665d4cb387811a960217a1f3d5fe0f5ade84b78af87

C:\Users\Admin\AppData\Local\Temp\dkc_onlangbutton.png

MD5 3a9674dbcf2f39809a5e118a3a512409
SHA1 3c624d1a3cea4dcc2db45ecb6dead387844f8655
SHA256 2be27ce3398d5f58504524f580c948f89712ff1de89a99b54706c0e0c93bff45
SHA512 f436d2cae388a9c82e8baa32a2d6184d656fbf94142e5b66ec4aec68e35b8bad2f3163ef0b228f84adeccf88b6ff49a476de277a6bca32c71d1320da9a68fa84

C:\Users\Admin\AppData\Local\Temp\dkc_background.png

MD5 7f10e2778be436731dd8491d492f5207
SHA1 de7da03d5b3c710382d21c0956d8df5c36326cef
SHA256 a0586fe99c9e0d1e94fbdc4173015dbc28735684813f50aed517af8cf61bffe0
SHA512 4e62d720eb039d2a15811226ed94814e106079facfa37e0ca244e2402b26274d13384f65c1ada643f3708bde61c8ca26fcf0a21d8265b42d9fccb177b027d1f7

C:\Users\Admin\AppData\Local\Temp\dkc_skin.txt

MD5 00c6dbb5b70e4054d84b14bf6a4660c2
SHA1 2d2475848e4316c790134aa124aa7156c0ec7b2e
SHA256 4049ea8f4bdfcd260be37254b6ff5573ba05fa96610c43754def662cea8d6b39
SHA512 b57873b895948b80b57d8a0a841e7301b18c0028aa587d86dd8eb5d208ae7bf79d64af25e4019ceb551cf079602edcb7a2a0eef539b3aae54c30a99c628d63dd

C:\Users\Admin\AppData\Local\Temp\dkc_progress_bottom.png

MD5 a6af35e0db291dc9505e9438f9e97ce9
SHA1 cc321c583c01971c7af5e814a432c7c4f8d7132b
SHA256 e540880ade05d1826d5d6610a348e74b05e181d0330687bbdd039dc0ee4a6faa
SHA512 b5f5f30e8a7f8ae88866845b2266a68083314d5366af9f032cdcde366a70978795135da8c8734db3b20f84edf70bbddd0e88efe6c77db39e505a6a7819ff25a0

C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\Processes.dll

MD5 138869ba3c86d7546f8c24e424dcd114
SHA1 db7f3227a7671ac9fb2fd017eca10e390cae2a8c
SHA256 71630aea3eef367f9a88bafb6ad3511a3bc7dcc4995e9eb84b09f8f777b22d65
SHA512 85a94b8fc6e0497a21a4d982e62405725b4d18a0a3c65f5f58b40e93bedd8bea5103f6ac9baff7bd3c93d4f08e0eb24f2c4e0e24dc346c231b87deeb725e1230

memory/2688-119-0x0000000005B60000-0x0000000005B71000-memory.dmp

memory/2688-144-0x0000000005B60000-0x0000000005B7B000-memory.dmp

C:\Users\Admin\AppData\Roaming\CalendarTask\desktopcal.exe

MD5 ba7c2285afc82949168424d8858376e4
SHA1 1564cdddd14640ec820bc04a64c3a632d0ffb167
SHA256 ab224dbb3b114cca10fc923436cd42808687b4cf7c2863c806c22f49a8628411
SHA512 cbf6e84e2d01f2920d352be8ec202c41753884813e75428bdde434107b7910cda7043f491e28cbffc7bc6409db8ce8310c5a4379f1c6e7f10f864906288c21a2

C:\Users\Admin\AppData\Roaming\CalendarTask\ATL80.DLL

MD5 3e9a33113d663d8bd5ed38858e669652
SHA1 1292dc7ffc35a1ef2b761672361bcffa7483169e
SHA256 63e1985a37d5993d170373bc28d067c13c1541ca2b63968b82e35eaacd927b49
SHA512 a2dcd0d5db662653d3085d2ab39e8697b25e096fd2093e3f5ca2edb3087356814adb9f99e490dc95293198e05551a3ddbb3fa2918b8ed5f76d84a22268bfbe7a

C:\Users\Admin\AppData\Roaming\CalendarTask\MSVCP80.dll

MD5 8c53ccd787c381cd535d8dcca12584d8
SHA1 bc7ce60270a58450596aa3e3e5d0a99f731333d9
SHA256 384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528
SHA512 e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

C:\Users\Admin\AppData\Roaming\CalendarTask\dkcore.dll

MD5 3a5849e599fb7b72a5cd8b2cec35e394
SHA1 5f73010ef0ac585b1fee44c120c3b3f6627f9689
SHA256 8af997f6c3589fb09b3b9c8651bd9631818ff39d064a1a0bfee005538aca7754
SHA512 6e8c343f61006949b75853175bb527c04d360f023eba3c6a369c97dd1bc7703f0afe70ac32447675a9759715c25ac935ba55f26c3bd383f027f25256b6edc5c8

C:\Users\Admin\AppData\Roaming\CalendarTask\MSVCR80.dll

MD5 1169436ee42f860c7db37a4692b38f0e
SHA1 4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3
SHA256 9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46
SHA512 e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

C:\Users\Admin\AppData\Roaming\CalendarTask\libcurl.dll

MD5 b1f4e12129881373bd2017ba6fd1e50b
SHA1 530006812211677e593d87b12f808a3070a76468
SHA256 f11d86d65ebd3406cd876e96aaea7f1a0b316efb5887baf3625556e247621cfd
SHA512 c5923a17b5444e3a5543359547d4089d0c3d2d4be11e8d48ebace13b204f8c1edcb439507c5f874de26c6907c89a1ab8cae9fe0b83087b8aaf53441bc0a9031a

C:\Users\Admin\AppData\Roaming\CalendarTask\lua51.dll

MD5 590d9c36dfad77891d55165b27b6b048
SHA1 8b28a217188139d208a7a882e18a7b103f2e51df
SHA256 198b37482d8c1be56bf80b0b55d3d33b63e0868fe39908a82e0ff56bf5ad9d6b
SHA512 e45a0c3d6a18927ba095b014335d72e5b2545a74d3c9c8ac8608590687d8a4272b7aa14248cd3cf2a46a81dc7ee21352b6ccca87834c1cd4de70e892954ccc50

memory/4936-230-0x0000000000A40000-0x0000000000A62000-memory.dmp

memory/4936-238-0x0000000000940000-0x0000000000A3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\CalendarTask\dkctrl.dll

MD5 f5621e1becdb5cd4dba2dc83054544d3
SHA1 bb5f4313456e0afcec4a516484e1700282f22499
SHA256 ef618545cd37507b72788427f4cab4249725d231a4a873e1ca404e30fb007c17
SHA512 bcb8add217e7c6ccf35bae3afc1edb435c5f4d3b246aacdbe1573005ce92e58d13366dc810916f517d8c8271a6581223a896b854c5d89c1e512b321b5b30d420

C:\Users\Admin\AppData\Roaming\CalendarTask\dkbase.dll

MD5 d20804a5475463e243a8166b98e008d3
SHA1 8e04961fc03159f5e378b8de6c4db170172a35fd
SHA256 69916fe86baf461a8ad756283312bf1135c89747f341c995618b7f363eb49446
SHA512 2a0eb2f1aed74bfd75de3bfe87e716f1bc20a12cb059e61306cc3d330eeaf79caab6592e978eec57a348a42be2e6775e894b4a20bb3b0da3867dc7e275932944

\??\c:\users\admin\appdata\roaming\calendartask\resource.zip

MD5 ac637a3a9ff6c74375edaa0ac0a20180
SHA1 aabc500757a8afcecf44d7ac0853d3943058d51f
SHA256 2f8fb59ba5fde76041bc4293683a2c21b234289090c78c7af30a85c1463b3538
SHA512 8f99b28925f48c50fa095b24c125964ee8d900db645d72d88506f6026c45e06e9d6e942425ab10dd3e9737a7d973ada6bf2551849d1eb7d679aa07fcc06e75a8

memory/4936-252-0x0000000000940000-0x0000000000A3E000-memory.dmp

C:\Users\Admin\AppData\Roaming\CalendarTask\sqlite3.dll

MD5 fc7db46484442ed0deb46f93f58cf573
SHA1 5195565f5e753fba6a077fa92d608e5dc57abaab
SHA256 4f9a4eeecf20a98a38117d3ef334c8a8270f8bcbeb07bf0d1a86b56fe5a53aea
SHA512 fe9bae58dd480b9bbf9b98902f8901a71fb43c9c1da5ffdd93fd08e4ec1c63894c11de58fdfa69a8122639870ea1c3b9672b584ee646c36b8d241d740a1a2cb2

memory/4936-247-0x0000000002C20000-0x0000000002CE7000-memory.dmp

memory/4936-286-0x0000000060900000-0x0000000060979000-memory.dmp

memory/4936-287-0x0000000000940000-0x0000000000A3E000-memory.dmp

memory/4936-242-0x0000000002A30000-0x0000000002B29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslBC3D.tmp\SimpleFC.dll

MD5 d38543fc9ae37d188a23e06ee11d3504
SHA1 174fe778f66db4a527fddf21b1c23e1bc1ceceeb
SHA256 72f33da081b8d579f437e7aa2ba8d9cb9602270b88093ff9411ac6316b52fc6e
SHA512 43d1874e5821d8e5530eaa34d42b76aa867528368779fadcfd2691825297accf04e94bd34867442a76c25d4729edefba9469de6500acfe6f665949f11878c54b

memory/5108-330-0x00000000008D0000-0x00000000008F2000-memory.dmp

memory/5108-326-0x00000000007D0000-0x00000000008CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\CalendarTask\dkui.dll

MD5 474aef5811effbd9abc306925a2834b1
SHA1 3522629070ff4d0806c1e2b891ce2ecb54fb3a48
SHA256 2d9281bc4e842cc4e4afacf74c118f8d8c5a2197f3254454b00ba3d7baead001
SHA512 a9f2a960e0c31eae983caecd3f6941ce23515ef5bab42c4b4148158b07a02a8cebd0548721f44e8eb7cd83d3760e3dadc90e02f721ec5dbefc8bea4acc097e8c

memory/2688-301-0x0000000005CC0000-0x0000000005CF0000-memory.dmp

memory/4936-237-0x000000000099A000-0x000000000099B000-memory.dmp

memory/4936-225-0x0000000000940000-0x0000000000A3E000-memory.dmp

memory/5108-338-0x00000000007D0000-0x00000000008CE000-memory.dmp

memory/5108-337-0x000000000082A000-0x000000000082B000-memory.dmp

memory/5108-351-0x00000000007D0000-0x00000000008CE000-memory.dmp

memory/5108-345-0x0000000002BD0000-0x0000000002C97000-memory.dmp

memory/5108-342-0x00000000029E0000-0x0000000002AD9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_bk.png

MD5 5017b8b0edc93fbca26cb412262ac6ec
SHA1 5796a012a5a1671cee4e4b0cfb062a837070c42b
SHA256 0a9286dba766de0eabd58e9bfb489782c64db16bfb3f978e94e5990e58ca09c8
SHA512 1435ba51ff93ace1aa84d45160bfba309752be660d6e1fc017f75651a51f5e39939bba6de47ed7eea5b40cb2fa10d1b236716932f8151c8bdc0600ba0167b110

C:\Users\Admin\AppData\Local\Temp\dkc_progress_background.png

MD5 348f6de2fbc51323084ac4ba3c9d2002
SHA1 0edb2b6876c0301c4d8a68ae290ba78445c0c484
SHA256 c43168daa882b6715028d6fd6d69272def885fa13b94836b730bec3faf6854af
SHA512 8f6754d47034e29fcc8900331c4bd068e5eefbd447e261503bd248b2a2140a6990610a8ecff6e1ce88538cb9031463ca98783de2fa40b6e7eacab3dcca3daf9c

C:\Users\Admin\AppData\Local\Temp\dkc_progress_bar_go.png

MD5 0a535097bf2375674264d93db75b7c87
SHA1 ad5eca6f2ce9331508d69f54e24c6f508d079315
SHA256 2d0a117f54a5df5cbd75620bfa70fcafc098dbbf882f1fda2c6af73fa483c8ad
SHA512 912c79e1440e49e2f551828878191fb6c419cf082570e961f8dc5dc1860318541d9d470e990853e49b31c745a19034b90bf5cb4591730a89582dd5a48f0ba8e0

memory/5108-352-0x0000000060900000-0x0000000060979000-memory.dmp

memory/3060-361-0x00000000008B0000-0x00000000009AE000-memory.dmp

memory/3060-363-0x00000000004F0000-0x0000000000512000-memory.dmp

memory/3060-370-0x0000000002A40000-0x0000000002B39000-memory.dmp

memory/3060-378-0x00000000026C0000-0x0000000002787000-memory.dmp

memory/540-396-0x0000000002AC0000-0x0000000002B87000-memory.dmp

memory/540-389-0x0000000002890000-0x00000000028B2000-memory.dmp

memory/540-387-0x0000000002790000-0x000000000288E000-memory.dmp

memory/3060-398-0x0000000003980000-0x0000000003C63000-memory.dmp

memory/3060-425-0x0000000004770000-0x000000000479F000-memory.dmp

C:\Users\Admin\AppData\Roaming\CalendarTask\update\updateinfo.xml

MD5 28208d865fb29be13da561752df9f0b5
SHA1 7af33c1d8b70f18c84ffcd720bb8e86506511445
SHA256 81c88666b778ab70df3da511274238d916415057c5b3ff4b7769914f881ff5a7
SHA512 56ab196a5340a73d4a673da9864332fb9ffcf59a3efcb479fcdc84d8b5f0ab28bfb18267101c7994f0e95e8e045b757e356f204c89880100600b5d821b072905

C:\Users\Admin\AppData\Roaming\CalendarTask\update\xdiarys-setup-v3.cab.ini

MD5 fef07f5b504942b226a09fbdaa959da6
SHA1 42871283083cb8656a56babd402cf9df92992ee8
SHA256 c84bb8cd2d0acd1245f76da33d9c01895187318b9df0f6577d1702ae2aece52f
SHA512 d6039249a13e1adfe9d28c0eb81274d33b838e9a9390dc563a4c0e885c0262a72e83a8b74d503362a1527e97f8f4c4257bb22e585cc0131d264aeda01f8f8501

C:\Users\Admin\AppData\Roaming\CALEND~1\update\xdiarys-setup-v3.cab

MD5 7bcbfa07f003d13fbc4903febddf8d85
SHA1 c9df17230bc7b37a8adc7873c5698c538933cfe1
SHA256 550b788711ce22954579543c52454c162016018540b19e95ac4276f7dee70be5
SHA512 7464641cee58050983aa19ec2495c8f94da30b5b4d99b608bae56f98194e2b0a0b1df82cba958ef686413a65380ec4359188dee6410cb7c31f61a346ed0e474e

memory/540-706-0x0000000060900000-0x0000000060979000-memory.dmp

memory/3060-707-0x0000000060900000-0x0000000060979000-memory.dmp

memory/3060-713-0x0000000060900000-0x0000000060979000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 81b55313d02c3480b15c0103329a548e
SHA1 3a6160819200af8d9fee39fa91acbc7706a10c3c
SHA256 0bdaf834591bf1947eebbcd94e6db080d50d3920af7a79259db62824387a1bbe
SHA512 1b0fd0f73bfafbbb2f75ddc86e8e3afb6c0edcc75cf1268f68382c79aa76375af67552ee5a7bf459e4a1b975801d8ffdbbc52a30a3eefb51a4f63adce1af6133

memory/2176-738-0x00007FF852510000-0x00007FF852520000-memory.dmp

memory/2176-739-0x00007FF852510000-0x00007FF852520000-memory.dmp

memory/2176-740-0x00007FF852510000-0x00007FF852520000-memory.dmp

memory/2176-741-0x00007FF852510000-0x00007FF852520000-memory.dmp

memory/2176-742-0x00007FF852510000-0x00007FF852520000-memory.dmp

memory/2176-743-0x00007FF84FE90000-0x00007FF84FEA0000-memory.dmp

memory/2176-744-0x00007FF84FE90000-0x00007FF84FEA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 26558248d658c2af71a1b3899dc173fe
SHA1 f2d223b26e231a293cece8d7d821b3d402f30d05
SHA256 1ec18c3910dda2ca6601fbbd0d3ad68258bc48cf886f7d235aa4572d09893c60
SHA512 42cd4135200b10df191429e81a25bd8306429deffa1fac3057a0a570e327ddfaa8b184f07ba664e6895be173f4d081bcdf455a3ac972c4bd6c8062b6a8246c34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b0d5406f51109b217f61912df65275fa
SHA1 bc2b889fed108ff9417ad2e4f32cd7e7d78999f6
SHA256 13716670a8caf53f19f3a161b513355eca5e0b8be383f5a4fc67b9a6916f5d29
SHA512 f7a7308d2561a0994592d9dc8414d95fd2196d169fa6cb7aa3fd4c86e11ea6555f2de2f4cc790d89aec3458deb0f93d4f53d864f2fe9421382194717740f9de5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dad4dc62cb604edd6c5c90edb8a67a47
SHA1 0418de45f62d35497ae29ac53df5285dcbd20e5e
SHA256 a459f5976bbf39cb1ecc5f10dde3dacd8a4ac05cac989afbf45e3a2aefcd2b77
SHA512 9b3567e79d4d9dbdd4a19906ee9f183d5dff04174eaa663281f6966ec1cbb046364d19ed1dd1ccd91f63e3685d1772c5cb6c6599815b5c03a57945eeb192be53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b94d575e9f18a27ec38d3da9fb21d599
SHA1 2b4a17964c87fab80a65e197696c290e7861307f
SHA256 a817495e3c97da298e98a2a229b0f251e3a7c0a191c4a71da2ec33431cfa8b50
SHA512 05f93bab079efae9912df69c34e85341d269740062defbb314c8980f9d7f9015713203d3604eecda9bde882ca94d74fff4aa198cf3682f0577a8209d0cc9e88c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 64750484fd90cc319a5affbaa5ea754a
SHA1 6a21f1da3356a0cdb0924feb4bbb1e3e56996a26
SHA256 d024b6f9f11e2e0130c7165bca7b9e93be75f89cda84dd79256a0a7aa598526a
SHA512 18f8dd9ee18324b32e92842b50d5ce7bbdb8660acfe5702d612df529e14fcbd0162c132ee427cfba9b4312dcc7cf0c992eba03d9d0a177f79aa69d25963a6e0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 31e55e0c20398000037ab41230ff5360
SHA1 72078a9f97a6aabad2fd87cbc408f1d728f25457
SHA256 9c3d01a7b07e9222582e2d56ff0ca0f3d66e8c586df33e23cae369b04ff104f8
SHA512 9746787af97e4f4ec6f13568c68c670b006db823d9c588500b0318e214de79571193a3a9ad4e1cf34b1d36b4997c437c83a0d3f2f9a404ab4b606359248f9677