Malware Analysis Report

2025-01-22 15:01

Sample ID 241214-beg2cstqaq
Target 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
Tags
orcus standoff discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

Threat Level: Known bad

The file 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc was found to be: Known bad.

Malicious Activity Summary

orcus standoff discovery rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 01:03

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 01:03

Reported

2024-12-14 01:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Program Files\Syncing metadata\Explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File opened for modification C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Program Files\Syncing metadata\Explorer.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2208 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2208 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 2208 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 720 wrote to memory of 1952 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 720 wrote to memory of 1952 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 720 wrote to memory of 1952 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1952 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1952 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1952 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Syncing metadata\Explorer.exe

"C:\Program Files\Syncing metadata\Explorer.exe"

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /watchProcess "C:\Program Files\Syncing metadata\Explorer.exe" 720 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 vimeworldserverstat.serveminecraft.net udp
RU 91.227.18.174:3306 vimeworldserverstat.serveminecraft.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 174.18.227.91.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2208-0-0x00007FF8DF773000-0x00007FF8DF775000-memory.dmp

memory/2208-1-0x00000249B7C40000-0x00000249B7F4A000-memory.dmp

memory/2208-2-0x00000249D24C0000-0x00000249D251C000-memory.dmp

memory/2208-3-0x00000249B82F0000-0x00000249B82FE000-memory.dmp

memory/2208-4-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

memory/2208-5-0x00000249B83B0000-0x00000249B83C2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 20e49432591aeca9939d49f7e31d0ed5
SHA1 4fc0011186fd5b88620c503d42a3c62000a3b7fd
SHA256 7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9
SHA512 37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/2312-19-0x000002266D8B0000-0x000002266D8BC000-memory.dmp

memory/2312-20-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

memory/2312-22-0x000002266FCA0000-0x000002266FCDC000-memory.dmp

memory/2312-21-0x000002266DCC0000-0x000002266DCD2000-memory.dmp

memory/2312-23-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

memory/2312-27-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

memory/2320-29-0x000001C778BD0000-0x000001C778CDA000-memory.dmp

C:\Program Files\Syncing metadata\Explorer.exe

MD5 595866ce3023aa7a94a221bcff8bfe15
SHA1 f1f8c080b238b7ea66d0d42732268fca9ae77364
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA512 75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

memory/2208-45-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

memory/720-47-0x000002CA4A5D0000-0x000002CA4A628000-memory.dmp

memory/720-46-0x000002CA4A5C0000-0x000002CA4A5D2000-memory.dmp

memory/720-48-0x000002CA4A790000-0x000002CA4A7A8000-memory.dmp

memory/720-49-0x000002CA4A7D0000-0x000002CA4A7E0000-memory.dmp

memory/720-50-0x000002CA63500000-0x000002CA636C2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

MD5 7796236d80b9e55f9571418e05a9578b
SHA1 14039d2800ca54c49c817b1fa35bdf45024ceab7
SHA256 02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5
SHA512 604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

C:\Users\Admin\AppData\Roaming\Node S2-N.exe.config

MD5 7efa291047eb1202fde7765adac4b00d
SHA1 22d4846caff5e45c18e50738360579fbbed2aa8d
SHA256 807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6
SHA512 159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

memory/1952-66-0x0000000000040000-0x0000000000048000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Node S2-N.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 01:03

Reported

2024-12-14 01:05

Platform

win7-20240903-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File opened for modification C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Program Files\Syncing metadata\Explorer.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38C188C1-B9B7-11EF-8C40-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b66503806ad49b8acad3bcca7758d000000000200000000001066000000010000200000004cfcee765c534e40649cb110b68d701cb60ea6d310feba011d7f9a1d0f32a505000000000e800000000200002000000077d57e1b919f0ccaacaa69af0d15acd7a7d7723397af16d10afe3e8e0ad6f082900000002353f8dd71a71c73791ba4fb00b0f17b69dd8c9afece7bfa80122ab9825344ee970e4395a9b2b9aefbb127c30e8e84cbd6394bf2cce52ab9463b4b5b69a4ae2e19b2c4589382bac1ffc870a7b4779b5ff27bc62f3aea10cadb4bb61e8e7ccdee3b5ad3fe11e41c43712c1f1d835c9636656a37d0e651208a1586cd299fec037e17e889fb04545d6ebdbd6768d34ad3ab4000000014da40f875aff70ca09b795b0353c36cf5bcbbea1b23d9e790ebe8bffb307f34bd7462f2d14c707c27cc56c66b1b1f2f664a6d279d487ec6f128879cea49bec4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440300073" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000222b66503806ad49b8acad3bcca7758d000000000200000000001066000000010000200000003b19e7efa73867e7585f1afdf5a69a0e17d3c2fe45ef5d45ec8f766d756808bf000000000e80000000020000200000004f74a76e036a90f01fb859b6de71487c679b50792835d2d334b652db53e94f3c2000000095797c340e0fbe33964f5d372e1d30222d630f797e1ab9398a5630f279b46d5240000000c6ae4c479416baea5b2613e2a10c24cbbc0de1602502761c1a4c86d8a1f635d1ac4eff1b42ddfdcb3e2c200f5d9bdf8924900517c5303fa8a4021f5971ac6e6c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70381300c44ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2204 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2204 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 2204 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 2204 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 2720 wrote to memory of 2652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2652 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2652 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2912 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2656 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2656 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2656 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2656 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2912 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 2536 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 2896 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2896 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2896 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 2896 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2912 wrote to memory of 1948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1948 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 844 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 844 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 844 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 844 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2912 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 880 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 880 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 880 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 880 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 640 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 640 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 640 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 640 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2912 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1756 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 1604 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 1604 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 1604 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 1604 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2912 wrote to memory of 3000 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 3000 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 3000 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 3000 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2720 wrote to memory of 556 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 556 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Syncing metadata\Explorer.exe

"C:\Program Files\Syncing metadata\Explorer.exe"

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Node S2-N.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275468 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275490 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:865289 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:865327 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:1127447 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:1258566 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:1324070 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:3355694 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:3814463 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:2765898 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:3552335 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:3421327 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2720 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 vimeworldserverstat.serveminecraft.net udp
RU 91.227.18.174:3306 vimeworldserverstat.serveminecraft.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2204-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

memory/2204-1-0x0000000000E40000-0x000000000114A000-memory.dmp

memory/2204-2-0x0000000000450000-0x00000000004AC000-memory.dmp

memory/2204-3-0x00000000004B0000-0x00000000004BE000-memory.dmp

memory/2204-4-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2204-5-0x0000000000A90000-0x0000000000AA2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 20e49432591aeca9939d49f7e31d0ed5
SHA1 4fc0011186fd5b88620c503d42a3c62000a3b7fd
SHA256 7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9
SHA512 37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/2288-13-0x00000000010E0000-0x00000000010EC000-memory.dmp

memory/2288-14-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2288-15-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2288-18-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2736-20-0x00000000000D0000-0x00000000000DC000-memory.dmp

C:\Program Files\Syncing metadata\Explorer.exe

MD5 595866ce3023aa7a94a221bcff8bfe15
SHA1 f1f8c080b238b7ea66d0d42732268fca9ae77364
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA512 75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

memory/2204-27-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

memory/2720-30-0x0000000000A80000-0x0000000000D8A000-memory.dmp

memory/2720-31-0x00000000024E0000-0x0000000002538000-memory.dmp

memory/2720-32-0x000000001A9E0000-0x000000001A9F8000-memory.dmp

memory/2720-33-0x000000001AEE0000-0x000000001AEF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

MD5 7796236d80b9e55f9571418e05a9578b
SHA1 14039d2800ca54c49c817b1fa35bdf45024ceab7
SHA256 02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5
SHA512 604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

C:\Users\Admin\AppData\Roaming\Node S2-N.exe.config

MD5 7efa291047eb1202fde7765adac4b00d
SHA1 22d4846caff5e45c18e50738360579fbbed2aa8d
SHA256 807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6
SHA512 159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

C:\Users\Admin\AppData\Local\Temp\Cab9F4D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 582051a92376c8e1e0b158753fb4166d
SHA1 ec83b8b4af37a47f673da27b08e7dcd828d8336b
SHA256 0e4319f512380284f6c76df503732c872a11ccaf3e0f9b1608b48be5eec86262
SHA512 e28cecae6146ab393fe4cb55561aa3050a51602c7ee121eaf530aab6ee99e6be9a800d61c3190b9b6a410ca5ae4ee5f5181bb591f095ae0bb274265c9666f934

C:\Users\Admin\AppData\Local\Temp\TarBE41.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c8e9775000e499f483efe05290d7cce
SHA1 9fbce2aefac222934982338b16ca65901535053f
SHA256 280d9e4e66769717ebd19463ec6a88781a4973f9b4547f21abc34ff943b5df51
SHA512 5b5ffc9f0f618df67ccf9a92933b3fdc18e7c90afa1268d6b6c655b4ed281c0be9a83394ea9fa68241dc9f9f8194e7d376139dd15b9b891319c769c6d0525d54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 603e70e0f43b0b00ca2613b1215faeda
SHA1 001fcfeeca61d6605a9885e0bf5a0e072ebf725a
SHA256 4478091ee8d616c7486d22f9fc8c3e066fd271b65587ae2b6b2fd3f066d06dc9
SHA512 958bcc2093315e4007be24ab25a796ca0286cfeb0d373d125fc34077d7c78d77359c736825a5cd951676d15fb5916f4c1ea1d040111e0b5846829d6379e730a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbf884fb24610ea358139fb2bf979757
SHA1 cbcedb8fb8a5222fdea4e2b3b0bd7bb94f06e0ff
SHA256 f41548457c94cb37c011b40ce072c8db07597df4b31a78eaf9931fb9b6196da9
SHA512 6f45a025b2b47ad1731f48031dca61d33083482d0e7ba02135edc974a61055921a6bbb38e52082d2ab87256fdc3d5b13c1cc255c7085207aacc3ea4012adcebb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afb9fbbd082229269f3cb8bf3e6d8305
SHA1 e09073007c275e9ea1645240770ad77f82847dcd
SHA256 bba615659ed004605283aa918f35fceb235dd2f051e597c66f2a23d99998ad21
SHA512 fe133d18d5cb7b0632385663268cd1bc26b586791c28a4394cce317db8010f695d846166a763745af0e6f0b1019592cd955bd7d1e6ef37958e06a59c3133b347

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db19c6dc4f0b88f1690ec82970c58a76
SHA1 33b2add579c262b5c228c41b39fe06eb4b88c754
SHA256 4ff7cc72a48884e45f26d87adec2047696fa1b4bc9462943d1e86d4efb753dc7
SHA512 808770331578ec2345a44efe9fddad31a90b2514e958b7839f2ce51d0efec2aefadf95b772a9093b571d948ce5f82e0ea37962240b081291ab3c29f9022fd290

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73d28d60a856c61c3e0f7acb31d7f7cc
SHA1 f154cf5e588d65b688fe12368f31190e143248e6
SHA256 38612cedcfa09232a0a586dda021e4d6633c8d28d9921648504dfe50e86e0856
SHA512 d09d412899094faeade1762053e8f36ca286966760b8e8f057fd303e48fcbcb279bda5253733bd4039c0a30b4b2999f6b730b410f26270e00d277e42baa58f33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e260cbc2d45206090e758608af08132
SHA1 89a29cd229308083deca79346df059f0d8d35d05
SHA256 404259163b9ec790429fd825755038709773afecaf9feaba058985fd72710941
SHA512 4ff705d0e33bcb971a4548af898fe9384831df5d148e601a3c0bd92332c1256a0065f130c12e9037321437fc5a71cb5e1983332b72501a485537695e8233b8d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a36f49f9e499e11925755f926c40d720
SHA1 879f3133b4f5b5a01a1ac007995048f57898ccea
SHA256 b26247dc4cfe790a214b12728ffd3d0ea3c03c93f4d3a8b9b2673a6fc49f4ff0
SHA512 54a7c982fe1126c04dd3161bf05f14b004526bc241b1f7b066fc42ee2b0ada8cf5e49851fb3ad85064d19481879bbad59ace8817bed5eb917892c507547f794d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a627620666ebbaa531c7be8fafab677
SHA1 fc202dbd90cf9e948e73da288111c20c2ffff3f1
SHA256 39f59d56dbf0621bbaf50f3ba4405e43c817f10fc71475844e8f217afa3fe280
SHA512 db7fc63f76c19b5fa395fb595cf1761190f635269ebc8c6b344f008754068420c585b247a24af2f333d808a0b365e077ef103c12c9d0a96b4f225930a478bb21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 145880a485d326fa5b5311033db1b0d7
SHA1 fc5a9fcdbb93c58616044de65c2dd69dc7a76ae0
SHA256 62b727e087c520589621ad18687e525f580ce00dbc6cec31d7a094132153bfbd
SHA512 9ff5dcc7f3163ca0f7af26caa2cc0bf7793c3626c5a2c1d5ce206323af2fddd803a9de7f2403c07f64633354776c040bb9fa461456ff5c1a0870ecc88f63a659

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fed2cf2550543c86edcac3437e27e2b6
SHA1 fcb77ced517857965387fe995947ee9a26801767
SHA256 6e77bf083fc49b52689a096bc683a97dbd788c6d8944b4363a79fa6d12a92d1a
SHA512 e895efd7cf617b5dbb136a837e8f33e16f10c0c214e0adbd9d3b659daee22f3fb2c18eccdb9101226e794cc919d5fc58e85362c001d1797ed0d804800c05ddb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7bb8ced3e5e97bf17ac93c2071f0ea7
SHA1 e680a26c1ee1bf2b8111911f414ea8dba6aed0a3
SHA256 b9e7aba08594a83f67d2418e4b9528a5e3271f6ea9f99bcc407eb57e180eaf29
SHA512 0032dab560060a31578aa34a6ba504197793008f96a74a0b7be1023c12c5abd24b34b8fd4e7f22dea107abdea731912bcb212e2e9e93bbf9a8a290b7a6c983f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66c13035fa937568e13f4eb1b2044c26
SHA1 b45dfa2c13b31ee2499aeb7358a3895e599ad0a4
SHA256 ba3a64713026902fbd65135e9e9aa188c9d79d68a7b779534f0d7cc084cee5a0
SHA512 a07b4b5dabc050af2494290f37697646a42ba4bc96e5330ac407bad68d7cf88eecfd816dad7b266e78d89ccc935cd74b84cd52bd518c84f6051ad0edf62caa10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9982224ce3f9e755c3e2dd548a0cfe85
SHA1 c20da56c00e0d036cfbf69a8d7eba2d434902177
SHA256 7ebd0b305ace8d040b1e241b355ca15c7cd8c2ce400f2bd92d02c2d5e09855ee
SHA512 a8014c72fc424358a000d4f96da044e567d8697a67c9dc1d84d22159745cd79e84708ea36f6076b1c9318893b06205b71f17945545228746865f0e2604b7a847

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e76fb1d00a241fc8e440fb5eb2948ed3
SHA1 d3f01cad0556d5215fbdaf1449aaedc46f52eac5
SHA256 771f8b7d9ba731f8444deacbb7921ade1402c7a1b9af1a5b1a9cae0f906a1511
SHA512 ecc20a130289188191f03e541feb45322a97922ba05b411c9325d637d532b345185e866dfcba5b09159ebd57a2382c68b1f9bb74674a493c30aa25451309eff8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be414fca30e02631c43e2ba1e32645d6
SHA1 312646d51a71b99ef5c86b5eadc62b1a7b0b29d8
SHA256 fcabba46299433997be4942ff62bc2dacb7362eeedd6ee48f09962b2b6d5287c
SHA512 bd0914e9823c7384b76ea941b0fcbcd014e9c9d88f7e896535699307009d4cc928201aed00ac95c13e9f4147a404f06d788bf12b7daaca60f1404cdf9d610b43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71f2e24ea32825a5829b52406df3ac8f
SHA1 69f784a85298d1899e64ab3d30410aac5977cd0e
SHA256 2366bf8b00801b2e586c1d2bb320a66eeaf12604904fa87ed8d634d897bbb7b7
SHA512 df48fde5f8ae71761c1e496d4183bc2cf684b51c8616cd61fa82f7da718bbff4695e9edabbc6582b9d7c5c7ff3c2c647326b7049f50e4186619c2a40ee3fd62c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f968a2601a87e233d84cd94f413882f
SHA1 2e4bd0a5517e0f7a0185a6338a54821d83190056
SHA256 04323c6759da37dcc71bfc5e425b074c0105a03eef45b2a6c273625ec9fc939a
SHA512 794f0f0772db001f5b2a70634ca5f3d284502a55a630dda573d1c2b6c4db7c76c5d99067b254d2a5ebf3211dd04184b03d9dcd4a502f1dab871269ebbcb13955

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ee79ba527caa9bb847c0af2dccdd7fa
SHA1 a2a3d2d7cb48cc87a5aed6e54a7f6aa0e3f6a6bd
SHA256 b4cfcc071a3571d92cff5d4385e42cc7b5dcd1853024115b62a372b35cd15316
SHA512 d15ad6fbe019ddd8ca4fd685da0cae453ebbad6d504e5dbd49e33044fd46ac8972d7156c1f4cb59ca80d6f5344ea09bd88580d4c5e29fe33591b890fc2ef360a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2a7dc60ff51b1be547347be65336745
SHA1 82d1aefd6fd63c25879ea46dfbba1407f3c8f8cb
SHA256 092c821450b1cdebd9a34954ce8f2e58e2b49d8a1d3f02021a831ed26de1f7b0
SHA512 cbdf00ea84bb1a81772189cb14b15159d8e17a5156f7ac9421c06214880e52b76a7b001730ca86bb0bf39eb735305a31127d17bd823abe98cb0568def106c201

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f57439353cced1be468ca5d33d3ceb88
SHA1 5ec20f2b508b89f8eb951aebae1b7113a9a44b8b
SHA256 45c2c8f4753acad71c6f4016364494743ce39bccb06c812aaadcfc5c22516107
SHA512 4de21a7ac1dbf67a1b632042f040bfb123acfaf0c3db0a5483e45134f01528734a77fcb603a1f7af8459c9a068d5d38c103991a47394e9a5486b2aef75e342bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 964fa553acb6ed888cffbcd833bd2ebd
SHA1 89154afc7c8c420aefc6fc4bb45cadf005118560
SHA256 d56d536bec4da36c528f84cc8e0239401eab9bfd97a18ccc7d83aa489145a4ac
SHA512 b4a6525c753a6fbe4dc9f0898708344da6a1d7d61671fcc26e5c8c0ce59231397e4b5390dda42f3a14a39ff75e7571eaa4192d30607708cd23b2ffb4238dac1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12567436bf43e65a95dfd5c1b43781da
SHA1 cbe7f943ba57dda24c91c0b90ee7a11b93398196
SHA256 0f34850515f96855514baa371d2773fed1440162724d6f102d6b80d37c0edec3
SHA512 1e65d94f7e58cb80b170c8416ed4888c73869ec4a52edafed2fae6250b8e8eb9838fd685a6b76ed5848f7e3f0a6d48132b849669fc5dd4d55c8f0b2c12c3bbcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a331a70444b21f7fb56df1eb3fbfbba
SHA1 6b9266319e539fb1ebcd0665b33c5ef1c7a5dac5
SHA256 d7623a135be0a60ec710a647222af6423eba909c3264dc28129f25d5776c2ce9
SHA512 569abe5c297a41b664825fc0bcfa6e68422b189d322f1ba369413a2f21fe9fb2185cea65aefc04d5989bc9c4813b04b57cc094507ff3400aefe9231ed21dc777

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aee47e452a4eb18b79b19f357b876b2f
SHA1 db4a7a6ec9e146ec6ae0ba8448bfe2c517ecab15
SHA256 d61327ff9508291ba7dd8a531c2cf9270df3e78ff381764bea328768494aea6d
SHA512 49003777965cc3cfbd5f4dfbab82e2e4b49bfb5ce1dd911af46334ffd8de5a3c426f76eb41efcba11073b3f55def9f2e92d5629b6a72d29f6eceff40dd667bd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 794d6fd47a97bea79c1cc7538b8241f1
SHA1 acb9cc9a89cbe71e177535f0ec8666f8694aef40
SHA256 5d25e616f66f6c3d89e78180096056a03a90e07af0ad4020f0865d4f1bb07a91
SHA512 68504e9de74d5e019c4b4bbe34e9b5ba7156ca451b28f32a1e1cc93f63ea15c366d0718cb24de013cba1c38209ba1f450193a72fa9097e385b2b1649b5d416b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82e3108cb12ede86f3d055c190a7290c
SHA1 1a83c8285c71c2988c9a99730f2b9a6fdb07ec74
SHA256 00e23d1862a981ee1a57cf918750707094c8f13fc15d38512cb6b28f9eadeba3
SHA512 b4790513bc2e3c32d4dbe93a7b896839db70a995c4f96a41ece639660c4b9f1cec88ac27364f791fc341d30475b905ed37652eac2cdc6df6fca615366a23c6c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84abf86211dead3aa2f3419c64246624
SHA1 ba4bc45537b1e7cd94b2833317a7f34a680b4f29
SHA256 55060e7dc8da678e6775fbc0a0d707f3f87f17c4a199733e4f3622787eb4313d
SHA512 f087a364f167d327a8049cbec8bc2c93f56210264b0001c98b732cef591dbc4fca7cee82c7ec5f795814c1c370e6e40e0648de237dbea327de7daf5b73c503b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c15cdba3e94404d90f26b7d2ee78e5e
SHA1 7df852a81bb8db3edfcbfcd8b2a4bc753f5a4021
SHA256 a1486f58521da8b2d085d5192a7c9efdc7db875c3c64f002d8545683633f3b70
SHA512 c05f3bfe6c2507ba2904d081b4c69189298a0050b2074800e538903510099413fb600d79f928e7a2ebcb7fb0925d12095c3f155355f86a5909e13b2e911f270f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ace5c9fced3230779a32100d9440477
SHA1 454edd46971846433be757930aa252313c76656c
SHA256 8db88867feacc6ccfd80db8e47e249a47c0da748c9494aeab662092756d2f0c0
SHA512 873993189acb08e60d4382144a9fe8c696de0b5c8e4fb69a4a7955ab8ff2e69eb05744a31d306534d5793631ce197e0240235a0323a86eb7bbbd0177114db4b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcb150318549b30c7ef2cee59f057dc9
SHA1 79647f0934d144501b1ff4f99993c98af3472d2a
SHA256 838b5745e66dfce839b2f3d48247f01309d85839898afd5df2d61d6a81e27501
SHA512 d7b78a6d7ac9c1079ba211ca7fd641851300f1bc701750e370b0783dc1818e93a31748d55193dc30b381f65cecfa06b0b3a8e1f9a16e7c968f2362b3f0ac768b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81840eeaac2bfb899f98cffd9330e7ff
SHA1 129f908f280d76add57bd141b42127579f3e5986
SHA256 32cc1cdb3d1500792b3a267833a0dea215dce2e9710f90fd839bd20fafb73ad8
SHA512 e32801a89a54a4767536b503ab5f57b7f85e481b558fb17dae7ad044920fb6535f6866939324e26c7add225be11bbe4374fcd1bebd2e69bf2c118f0ba596e964

C:\Users\Admin\AppData\Local\Temp\~DFF4E713DC7CC6DB93.TMP

MD5 741ce80eec4612b9aed6913da676c233
SHA1 d6fc8fd2fa3bc1e101d958488930eea9edad00c5
SHA256 070ca9e62e278c739ff47ca30ffa65c00732ca5bd8d8f5116309888428bd9eb3
SHA512 8fc2ed439864e32ae71f920ed6e07af9681ef9b2452199fe26a3430f4e4c7b2ff6b2b7558ff943d691983b39adab4b82dd8933a6dd3c823199dd49f50115a093

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a5e8193f7c104082cfa15111412b7e4
SHA1 04c9cbbf30897a81733ce23a36d19f725e37b220
SHA256 37b18d7f4dcb735b3a1799d227ddb824463b0c163b3dfd710bdd5082444960ac
SHA512 5d5c709788ba354f7e6fe6f7a5bb88dade6142d14d16be56f4a81d986ef4caab2b9c21d8b77961f2afcc609930e6fb78d15dcdda5c42fe8bfcba5cab9944f323

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d40b2e130a91ce17f1e6525a45a50ff
SHA1 fa5785c1f1ad69124ef33aeaab17f3c43cc651d3
SHA256 242ce517c84e7ea487a384783792de241164a39a6e7c8dbfc2532b3a4fc46e89
SHA512 5088e5e452465741bde4bf750e14679699277be9b5a03ec22b5381eae225c5fd46312b2f237f441dbc512cccd7e44c8fd387cd77a08b93681ccab259db65d944

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe015efb58a57f869f2cd27447430510
SHA1 16302f4912e110e98ae9b822e9fd8eab6b2a2409
SHA256 58671abc7e470fd765f3cefa438454493b056b51aecbcb2e3def16cd41ad8a63
SHA512 b636c34f86b24626e2a5eb38d78c015bd539231339775b442a4eaa1e43c57f15eb588ff4623e6bb81aa4b922b54b2f0f9d7c788c501051c71359582700031e3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e703fced03605bb602f84ac8510c05a4
SHA1 97672915415f7abca0460c48ef0393acfd00bdc3
SHA256 c5dd19fdb4c0041afccdb601e74e8a63b118196ec528e60bc1538dd583492a32
SHA512 1321a6a1c078019a96fcdc3fc1d7b33281f889897b8280ff24ae7d3cb11ad2500c7309fd61cec14302a683e89fd84496e4b880d500d5fa5c2091dc35d6014572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 eb3db38cd5857c265d78dd7edf1572aa
SHA1 15839913ed190c111fa78d2414d6276fd6885c93
SHA256 6c4ce4c9806861541fa8f33cefbfa041f3b822fd12ff92827787e443fa897ec0
SHA512 1b31609aca52e6ad5acff50687af7b5be60b3389da237800d6b5ea5528da965b1f26ae48dfd4f452a5d696a38699834665398d79b6a29e94f45caf6d57b4d668