Malware Analysis Report

2025-01-22 14:54

Sample ID 241214-bktx4stqfm
Target 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
Tags
orcus standoff discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

Threat Level: Known bad

The file 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc was found to be: Known bad.

Malicious Activity Summary

orcus standoff discovery rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 01:12

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 01:12

Reported

2024-12-14 01:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Program Files\Syncing metadata\Explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File opened for modification C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Program Files\Syncing metadata\Explorer.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 840 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 840 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 840 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 840 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 3088 wrote to memory of 4536 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 3088 wrote to memory of 4536 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 3088 wrote to memory of 4536 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 4536 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 4536 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 4536 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Syncing metadata\Explorer.exe

"C:\Program Files\Syncing metadata\Explorer.exe"

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 3088 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /watchProcess "C:\Program Files\Syncing metadata\Explorer.exe" 3088 "/protectFile"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 vimeworldserverstat.serveminecraft.net udp
RU 91.227.18.174:3306 vimeworldserverstat.serveminecraft.net tcp
US 8.8.8.8:53 174.18.227.91.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/840-0-0x00007FF8ABFF3000-0x00007FF8ABFF5000-memory.dmp

memory/840-1-0x00000236C5D40000-0x00000236C604A000-memory.dmp

memory/840-3-0x00000236C7BB0000-0x00000236C7BBE000-memory.dmp

memory/840-2-0x00000236E0570000-0x00000236E05CC000-memory.dmp

memory/840-4-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

memory/840-5-0x00000236E0450000-0x00000236E0462000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 20e49432591aeca9939d49f7e31d0ed5
SHA1 4fc0011186fd5b88620c503d42a3c62000a3b7fd
SHA256 7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9
SHA512 37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/5020-19-0x0000024977990000-0x000002497799C000-memory.dmp

memory/5020-20-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

memory/5020-22-0x000002497AE80000-0x000002497AEBC000-memory.dmp

memory/5020-21-0x0000024977D80000-0x0000024977D92000-memory.dmp

memory/5020-26-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

memory/5020-27-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

memory/2136-29-0x000001DC23F10000-0x000001DC2401A000-memory.dmp

C:\Program Files\Syncing metadata\Explorer.exe

MD5 595866ce3023aa7a94a221bcff8bfe15
SHA1 f1f8c080b238b7ea66d0d42732268fca9ae77364
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA512 75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

memory/840-45-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

memory/3088-46-0x00000211AF260000-0x00000211AF272000-memory.dmp

memory/3088-47-0x00000211C9790000-0x00000211C97E8000-memory.dmp

memory/3088-48-0x00000211AF2D0000-0x00000211AF2E8000-memory.dmp

memory/3088-49-0x00000211C9B20000-0x00000211C9CE2000-memory.dmp

memory/3088-50-0x00000211C9400000-0x00000211C9410000-memory.dmp

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

MD5 7796236d80b9e55f9571418e05a9578b
SHA1 14039d2800ca54c49c817b1fa35bdf45024ceab7
SHA256 02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5
SHA512 604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

C:\Users\Admin\AppData\Roaming\Node S2-N.exe.config

MD5 7efa291047eb1202fde7765adac4b00d
SHA1 22d4846caff5e45c18e50738360579fbbed2aa8d
SHA256 807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6
SHA512 159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

memory/4536-66-0x0000000000580000-0x0000000000588000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 01:12

Reported

2024-12-14 01:15

Platform

win7-20241023-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File opened for modification C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A
File created C:\Program Files\Syncing metadata\Explorer.exe.config C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Node S2-N.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000002f46b77919e017bb1732afe1d8c4ee1cd31b4343e766165fc9a6ef8626af09dc000000000e800000000200002000000007231018c943faf91988d3efeca800641180a924d3e35d216a0d5341fc1765c42000000089b2b351443fc00af932c8e43e5326f37f525a2fc17e69a13ab0d6243ea28a0f4000000091be14c68115a11f385e3c420bb8b90b8e033e5d380e769fa12e76471bc18a9e82b88fa995f693e0898e1d5cec6bdba51eb80f6bc03c0fb061caf44e8c77f1bd C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440300634" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86CDBD31-B9B8-11EF-9D85-5E63E904F626} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000008b6ee98abd6f3129af8baf39faf1557ba9ad2a42ac7cada642cb56c7c2d5b3a8000000000e8000000002000020000000b4a960b75b06c70ec6458c3d51cb5424561c9c4cecdc43f50c853be0fea81039900000005a33bc3c23eddeb8cab6b90a55cb857ff4b80a0e2ccbcf5138b6834cec547f7e790dfba631f0705323de370471db890bb069112e17955a1e333e79e5b14c64075bd76a2c98e8fa42c261713641e8aa94a89818aabe6fa45e635d69e767464ed735829180af9312d461fa844c4cc0f249a61d5d830bd12ed88bf134d74d1472c7deacb56f7179416cb18ddeff3ad60c8f40000000abbbeb743f88e0b7f6ff55ba06c9df2f2847d6e6f2d0cd49499b0005bb6d9e8dfccdcdc2972e3fc731d3deb6d7ca84b8a2c53a202875641265a5b45deb7d1144 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0327c4ec54ddb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Syncing metadata\Explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Syncing metadata\Explorer.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1996 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 1996 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 1996 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe C:\Program Files\Syncing metadata\Explorer.exe
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2720 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2720 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2720 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Roaming\Node S2-N.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1252 wrote to memory of 1016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 1920 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1920 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1920 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1920 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1252 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2308 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2308 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2308 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2308 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1252 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 1652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1652 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2188 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 1876 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1876 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1876 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 1876 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2388 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2388 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2388 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2388 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1252 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 2788 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2800 wrote to memory of 2176 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2176 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2176 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2176 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2484 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2484 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2484 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 2800 wrote to memory of 2484 N/A C:\Program Files\Syncing metadata\Explorer.exe C:\Users\Admin\AppData\Roaming\Node S2-N.exe
PID 1252 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1252 wrote to memory of 1184 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe

"C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Syncing metadata\Explorer.exe

"C:\Program Files\Syncing metadata\Explorer.exe"

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Node S2-N.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:209939 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275482 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275504 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:4076563 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:1127471 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:3683371 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:1061949 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:3814488 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:865335 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:3224665 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:1913946 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:3552436 /prefetch:2

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

"C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 2800 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 vimeworldserverstat.serveminecraft.net udp
RU 91.227.18.174:3306 vimeworldserverstat.serveminecraft.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1996-30-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

memory/2800-29-0x00000000001C0000-0x00000000004CA000-memory.dmp

C:\Program Files\Syncing metadata\Explorer.exe

MD5 595866ce3023aa7a94a221bcff8bfe15
SHA1 f1f8c080b238b7ea66d0d42732268fca9ae77364
SHA256 72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc
SHA512 75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

C:\Program Files\Syncing metadata\Explorer.exe.config

MD5 89817519e9e0b4e703f07e8c55247861
SHA1 4636de1f6c997a25c3190f73f46a3fd056238d78
SHA256 f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512 b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

memory/2892-20-0x0000000000180000-0x000000000018C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 20e49432591aeca9939d49f7e31d0ed5
SHA1 4fc0011186fd5b88620c503d42a3c62000a3b7fd
SHA256 7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9
SHA512 37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

memory/2292-18-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

memory/2292-15-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

memory/2292-14-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

memory/2292-13-0x0000000000860000-0x000000000086C000-memory.dmp

memory/1996-5-0x0000000000480000-0x0000000000492000-memory.dmp

memory/1996-4-0x0000000000240000-0x000000000024E000-memory.dmp

memory/1996-3-0x000007FEF56B0000-0x000007FEF609C000-memory.dmp

memory/1996-2-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

memory/1996-1-0x00000000012D0000-0x00000000015DA000-memory.dmp

memory/1996-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

memory/2800-31-0x00000000007A0000-0x00000000007B2000-memory.dmp

memory/2800-32-0x0000000002330000-0x0000000002388000-memory.dmp

memory/2800-33-0x0000000002290000-0x00000000022A8000-memory.dmp

memory/2800-34-0x00000000023A0000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Node S2-N.exe.config

MD5 7efa291047eb1202fde7765adac4b00d
SHA1 22d4846caff5e45c18e50738360579fbbed2aa8d
SHA256 807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6
SHA512 159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

C:\Users\Admin\AppData\Roaming\Node S2-N.exe

MD5 7796236d80b9e55f9571418e05a9578b
SHA1 14039d2800ca54c49c817b1fa35bdf45024ceab7
SHA256 02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5
SHA512 604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

C:\Users\Admin\AppData\Local\Temp\CabCF04.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 708e20198ee07d2d033a9bf7d1cb1b6f
SHA1 c0439508ed66b00fa8d3352104ea3d6e4f2ae608
SHA256 74e707c7b6632b7ba32d3f410b94107edc22e9d6aa90a57f27300a69c57f0596
SHA512 cccc7760201a639d0c7a678e06673ae7049fbaca61742a7df9e1c2e63c89f86fc73689fee976153fc62eca3d61e31cfac33fc08bb7b9c10105e40f81aa4076e3

C:\Users\Admin\AppData\Local\Temp\TarE87C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b73244e5ca31b25bc16fcef16d5a798d
SHA1 91b59ada0ce9c099c747ede56bf38488a8a48899
SHA256 8ffadc75a97bdc5ddd1859e8722f4e5721eb4750f1b64c1e44d170c27f733178
SHA512 e9532563591021d8fcf0cc31ed38920b06a07d9cb8d2e9c7c475a88d950b6f8310d6dd155aeddedbed46df4f3549e4a22ef988c721e759b2d367fa34a30f7207

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75ee5aef2e2e2c8af812a96585363a18
SHA1 26128e1a674444e6755ead04f82b103e1f66599e
SHA256 08086e010694ee5f21d7a3586b1d00d766f140962131f843c039305d55c42865
SHA512 1a0edcffb074a2bc32b0df2c4825f6d0253296676d2a50571301541a60c48241c9bb9786ce2df37a083b33deaca0514a0c54ac4e3fae37a55062069248830f47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 465761da19b006fcc9c5e4dc47b620a1
SHA1 a4ac08cbb3651d60c8d2c02d0d641ca0b873dbbb
SHA256 bf9ce745e47be4617035405d870b6218c1ae96473d92d6999681f25f527b6415
SHA512 ce58098f22cc2bbed9ecc21a5a0b35d3f22e6a5e8df93a4ca885ec6a77b9aafcada4f9744dc0d94d2dbb14e4276f0f2b871dbe4ba8ac8fa884976898886b1759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0216364f80428fe2dffc6025864b130c
SHA1 ab6e413d6a57c4764ef45a2bb0fb0b6d87f422b6
SHA256 b9c627e3c108a5e0cce2e19c915ba96468a0e36a1a77a77ef83449663a32b3fe
SHA512 79d9b770129a79c9eb835e7eb2b0c40e864ac9bfe84b0153140333a4f91b7abc8eaf082314ac5aaef81b0ac3ba5eb13d931ff5da553adc29505043ce27e13525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c2f927bc59364eca8fe1e0815f81e69
SHA1 249370f5a12190daeceb6eccf7184f547f0630cf
SHA256 a625e8644948b65f1e9480d930268da19c66d677df558dabb521cfe3bb78d611
SHA512 557051fc2cbcbb1301d6261f40cf28150573f51e5e1eaf8ad4d03617095be7ff7f972215c6f941cc57e02f2d938a983c0d6c5c8973030faffd76c16fe59a21c5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28bb785c2dfa44237ba8464b2ae1d04b
SHA1 815a95bb5b9b78e5cd47b7c982dd41729252cfcc
SHA256 da222e733a4884681a50b682072f343b3298d48c23e2bca850fac0833f5e86a2
SHA512 9190d742ca823695ba709205e6b18b9bb800a2dce8f48ab39892f985d6b967933bd1b1e9762f132ce9540dace840f1c5873e6fe00132ae7787e9d79312904f50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b836740967f3fce9238cae6eae961be3
SHA1 ea69f3c12ac0656eead2c9bd93d69b659101d7a2
SHA256 e3302021bb573a8044e9c360bb3f5d3dcce76b4f38a973f62c60d38cae5748ba
SHA512 7eda921df6866e300b6f79c52725dddae5377b561d793044c6db17f9705a71e1ca2441dbf51c797f6df4fd034f77f68982ae90a0f3efcc5d3e4fcc40cba9c01f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e91300dd53e7f4765ba45015f7deb4d1
SHA1 c666efb38df4f6dfc63d1b5b616b5e3133b6d400
SHA256 6f72669363d376df6cf3e2c93c6cac94aa4051e169287cfbd5fce5535b98d594
SHA512 9767a2411c9a73a70e94085e8b2db04caf412c47eeb0e375d265666308c265467611ddb2f7a3fc456f8f1498e84347c8f49abce0e4cc1b438b8cbd455c8ce03b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 905f04b15a8638d35321fd73fe6a0112
SHA1 adee49a715e2f876677ecd66d8fd129aa47bf495
SHA256 fe85233329952d7923d6288fcb216813631373d729f4609033c0ca435b33187d
SHA512 cc2adf819f70bfd1b608902b3e01d4d89e4ba1ee2ba68bcbf91a4a598120e76800198281c15d8e4e1511e6c95e07d752e6fdfdb93c1c04f209a3f6b2cc0959d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df3353ce0fb0e614a9200d4edbe5ef17
SHA1 29411fddf238ae9a11d227fa4ae16fe7ee546cf1
SHA256 fc17f096f16bff352109a99e2375308ed4b06f32d9a8906e55534a2b5e54c6ea
SHA512 d7b717b1ae17faf52d76183d5971814cf723527edd556ab6891a8de9ebb1176746c1acb4b25d4625937ee5bbf5ce6308eff2917795c652a5b4e79f3f2f31c026

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42da534483a646fa0adab4b3d177e0bc
SHA1 9981c154dd5b1b238f79a99e8373a5b80213bc93
SHA256 d9fb569f7f30e85f40b98ade25c9771c2b48c7bc4d17c4c32cfbc2df2534cb54
SHA512 f315e22397fa24ef450e24a98dd386f2bc66a93d04c2a66f554a1ae1fc6908efb8dfba80fd6f3fb38e36defc74b5aad7a3bd13ff4ccc0e883c9e6ecf05f982c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e107128ffd787c3731d55f801dddeccf
SHA1 5ae30b5ff91034548133ce4f4b08d13a89b0d898
SHA256 a1f41963ec65a2821d5c1975ea6301d804d144ed3345b779bcc0049f73e29c78
SHA512 46d629e2f84d3327debf6697eb9f1148f9fca9dea3cf71bef3f7ce298b9dec7fffe4db2705dddcf1abe63a702cedf0258d2069e1c42dc94cce33e6c3240096d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be154d6d3e6662348d2d11eb2e3bcfe1
SHA1 bf19510016f3de8715c8bdf6f3d23e2a42b21b11
SHA256 4a5a5162faa3a3534346caa6004f3b2cf7f98d71b4cffdc842f9847f0b5a43ef
SHA512 7114d8c58c1bae1b8949bb2946a1d703a73021e6223cfd094804d9caed4abcadb360b0b3fc00fe140a686baabe4804f3f49d514533cbb6ec84fb8d8013c6ddca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87e63554f2f7c9b2af96889841a4b04e
SHA1 f0e179807493c59cf764c500e232bc650a5acd98
SHA256 978e75c7c1bd7187b3ef405aa0474619a8ae1bd1b90f8b542af9324d1c1eb934
SHA512 bb46ebd9e2d5ee193c8852fc568c1e16706b7ae17d15018d0470d642d38f0e361f3744a2e91400053e4e19a16d245d6b7e4fd15bdc12a06a9f855c3a7e7b9d74

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 750198797dfa0db9167129a32dd9dac4
SHA1 a42eb618d2590c6d0b3d0463009b534b8ff506b1
SHA256 dbb9dd8f938f141473b0a0bdbe22c7e859f5e85e4486db94e94a39a8159d1e34
SHA512 2ec0064dd1377a557b5544b2bdb8bbd62b5dd3a3c78edcc60999cb8e3e22993af38b61bfd0f43e74b0f4e41ba5879c9403c1f8f9bd3914bf968c03e337b11742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4468f18bfd05e21ba86e9ea6c2e07f9d
SHA1 c0c09b1e51f47fca2cb4fa4d7f6c4f4edba88970
SHA256 9389ed14ca2f76a1db60898afe454e5fb3041189e961fdc9dd31d2af132d1f12
SHA512 9873cade0b0fe8118efb07a19634823ec869872ba225d6a801684d72cec110490b0cbf95c5ec41bdbd26e5fc7f69d221e1dd5ae5ee9e1103e4605eb29c2a1cf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1203f67ccc15f86b3baa438fc40ff87
SHA1 70605e2865b23b0c3677a2dc8d37b5b398920a94
SHA256 c919a501c7a623c627529b81ce88c7ee2afd3bcc2059bf340021e23f1fec7cf7
SHA512 7e31e334c3fc047da9654a4bab36d101322a23a1f6ebb643675168a4400611a40c05d7787c96c0b01847ff7ecae5e610fa7f25316a6db3863a3960056cc4089e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d1b3250bbdf6f548be4bb3898d5060d
SHA1 925d4eeb6e7e2459cf328c5b1fb4efc46ab3302e
SHA256 9d3fe6c05b93251855fb818e15ae50b8cdd868949040a9dcfa0a65e213f5b0d1
SHA512 76f767d2a29eb072a2e5a405715f682ffdb0acbfaaad0ffcf3ed0064cc7422fa95b1278e429e78ce34107c840206c821b6c2bbe1dd3d6b07c5c898bdcbda6dff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f2e0c8ff65d467054db1986ba0a1421
SHA1 162c87bf1d6302a1c45505f86dc6ff98c2fb8531
SHA256 d41edea2c332a8b275e6e0806a63f8b413bf5c206ce0f604c6bc23c4d8c20241
SHA512 8ae789c7b5b03b7e9043e5c6314dcc7cecfa84abe686f0dc100095642132a3f7e61d6508e651207d15f20eb03b40c6fd1c8386f368a7d78439a7a8d0b5eca294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59d7562e325061aabc6c6f2df7b674da
SHA1 733d23f156f952ceea378ba900862ad025500b2c
SHA256 0666abe5c00457491057a7548fa4e9310bf858d0f6ed04d015594121e3fd0a14
SHA512 742dda3f1e25c67fdddadd5dc8564d844e7e944f3025f1e443378f86f376c7ebcbcc4c4425ac9914dd8312f0c70ed5647b88ca21f02417e1dc5f52274ad22ce4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70fb03e3e3bd22aa3c93dd99f1934e40
SHA1 2070eae54d3ed4a86566b3d142e82e71e81e3faf
SHA256 36d493ca614384603a28f6f4fbf764c21de0ada810b38393355c6dfe611ab417
SHA512 43e5aa89da6fd128bdd1dec1a285ddc3c990fa9706764f21642f63f0bab0ed07335fcf9ce716d41ff66edb9a117faaf4df019b0962579dde8a99ba5015e9a32f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db10888c21d31542f5f058e059fdc413
SHA1 4e95923ed7a49cd6924992ea8e04d41c8f1734b5
SHA256 105749ab7306bc60aef7a9ae4bed28e98fee8a23132846198904871eda05fefc
SHA512 f0ff4795b78715aeb48a26e806ee9b0fc9ad91eec7c00bdca8466dc614bdf124e0f3f64097bbba23804819ae6cd8e6725af37cf323ba9db65e0238f2f1850ce9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2517d4856e5425d82400bd9fcd9d2113
SHA1 735fcbf5c3a1ece9a7c61a4fdc98c70ad90fbfd0
SHA256 10fe90c6e2451d952c0ac27e700ff87855776eff0e8b71c1286152ab9ee24715
SHA512 b16b2f49d33aeb4debcc3f6fb9bb85942bef9eb98ef1ff2c88feccb9e2ad08ac04fe8f6fb9fbe69d8919b1555e44a5ee04d3e0941cd322b6e93164707998585b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76e6f0694775e9dd3e712b923cb182e3
SHA1 6854df00c79e69b3a34a913484b658c8838b206d
SHA256 af326677ea36bc3fd9492bb8021c4ed491d7c955467b9b4825fadfcb95479ef3
SHA512 1d6e857788ff9d78f767f545ef846e67a69db1b34cb92c872220141def58ef182c2aa20f804320ef4e629287ee57cd4457ceb42d2d04a492240abb755b17fe31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf8aeb9388f781548131398b42680d9e
SHA1 182a4cce6faf130d727db59393eb7fab50c4a37e
SHA256 d3ae5565a6591cd2b2bf58eb55ea2d297a479f57cc166ffd79d463cd4ef6373f
SHA512 2bdca2b0febcf78af1d094a57c61b052c591e16c8bf23e76251039915343cba9107f5ce45915f076972016ea24769cdfae74b6eb304f3d2313288146bf0080c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10defaeb5d987d04a3bbadb73f597062
SHA1 7f37697948d2597a1cd37d9d85ea06f6a2886f87
SHA256 4dcbfd895de213f29147e1bf1ec3041f98277c714e60c5f5f8e7912e922be472
SHA512 9afc92d90fa9f7c6e7a0db66dd36042e020eee7e80f77e3557a5111816bbfb0f17dd1362afe4ba31bf4756dcd787385d906e84e15c524c2defe9ed8297eaf515

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac12b40053ecc4f6a9153e94ddec988
SHA1 a02fa72167ce012876402d30e60fdb3d2f756221
SHA256 0b586492cea11891ce5bf74c4ea78622e576f2eeff2481d35b08aeb9cf79b9e5
SHA512 a294a364c1d840e18fe5a65e08033f118f95cbefac77d39b4d197fe45b19bb2f483e8c35735e6f1a62e9ce2bc917ff70f4355a6180bcfa8b4e9e839eadf37c88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ab08da2e56c465443ef81705986a95f
SHA1 cd46e2e7df1ab65683144bb6c88237cd5cab00b0
SHA256 06bd6da20fdbcc1febca4d89748e356725a9e2993d7d7318d0c8613554112de7
SHA512 7fc6d4a8834a5f77d6a728c355c2c19e3398982f1539ff7255898c9d811d4f632026be8215bf22339d4f7bd10ece2dde7b8d1e595bab5b49c9971469a56502ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9ae5bf01313f08a58d0fa1f8415e39f
SHA1 1b79f2e1096a4a79faa2093939b44548148a6765
SHA256 8f745ba5b3b59f5d3d1bbd0b61a8cd6d0c0dbe133ce8a84fa9635a63dec85b43
SHA512 d990532d3654f0df10af90609ce3337246b8bec7494e7a94fac7828f9e36240d18563141de0defc10e0b443efb5ed96a9f75641f86faf07ebc6b3f5f17766d01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a07e0e8b3090cea642a474a17a53c77d
SHA1 6fd049ca0ae0ab34ed53805c884c6469a3923bf5
SHA256 62bcc3075959f46aea4f9c4e6f81bc9ec6e707e3cec97a467dd37894b2a73502
SHA512 043ccba0644d0078d9389bb94ed8c626e21a9cc246b2c2a959383bbd0928b058694842f699b736d906585bb27d36564aede7fef6a9857f0accb9251045374da4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e1a37bd12db5cbffc9ce924dc53b8f0
SHA1 05c75644b465d28be26e5cfd56103a2ce4b0959a
SHA256 1ff440642433528c0749af148e060a1be870ac898ac8bbac76d802196ba362e9
SHA512 a2dac600a2d8b161aa532f4adc20a3db3cf6033e155fe40ec1f489a348d1a5aaddb38c1350c2c8832f7787bd01b75695878caef8af4b7bbbb3ee8e66637c2bf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9e36d6737d872ca626ecb32444326c4
SHA1 b4bc11b9339f8d52d45e2cf205d49dc341b00aef
SHA256 4f48065f5b629b88432d15fd4f32ae446f7f4215cf93e4799e0c53e7699be36c
SHA512 f1b37f55b417a4729d77bcab833b3184644d437d68a1e709e79723867113da3471cee0af02b5835723255437af6fe1d010eade1c972f53dc90750426f5e92fba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a37b60eb516544b277d7225e69c66908
SHA1 5578fb667f049d3c7572b8fa86d4b6a1c40a147a
SHA256 f32e9dcb4ef02e37060b1a44124cf2d9cc2ac216b64f160b3df55a4fea0cca88
SHA512 a5f3026264cab99667de03d289363c08bf531cf6b3c25925d302f4920899f3d2a15f56dad1968f95b292aca068b1b15c43291ba8d3737a75f8720710afe498de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5de07582a1574b62b1078bbb4d40ae80
SHA1 2b5f20455fd557bd49ac4e90181d7818fd1109f7
SHA256 b81d827d531f8137c3985ab447f1a363f4488417f0fb708751ee16cb279a88eb
SHA512 e9a2d2484e000bcbb6021d4f97807ba9e1f16652ff86eb95ba28f56dea20adf2f8b4b6b0707113584f6f9530bf448486307b83197896f9893d62cfc78e364735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f8ac2153a977fe46fcc2577a827eccf
SHA1 fd10bb958c7e270a7c07ea6bc2f9b62d46257dd5
SHA256 4608719bd3f5d2e27d01778d101fa23fc603bbf8d5e6573f7ebf4e15b3530af6
SHA512 a9b069f4540132ae2b3694525b5755928aeb2f5c82af46a44f27c784f4ddcaa274d0857e1621105029d9474330cd4668ab057cb2470b590c4544ba7ef0bb2769

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20e9695b9f520ce9750a793f755d8e29
SHA1 73d55497074b674f0915c0b4f0fc489804449931
SHA256 9a50c497dedf61bde29cba845eaac7c0c831e0365dd1946bdeaa0b1e6dbb29b0
SHA512 394ef228f6174dde34635bbbfa2e0464549a886d426138e3e68e7341c518f3389abf4cdf2b25597695d82cad6fc482607267794faa5b2444f0611726c6c2c3fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3828db4640ee23b609af4735d990db31
SHA1 c39297f0790c88aee21dce679db0cb3d20b73429
SHA256 f6fede1da006728a4ec7b935ea166eb95cab4fd1f98a607663efe972c13a258e
SHA512 e5e7ff1d094d82537a4aa72e9d31c45f6d177b2ea3c29f99ce9b0321977b4d0c7c1906689354eb2f6817a506cfac35ef14674dcf34f1b722a92d575bfdec0d5b

C:\Users\Admin\AppData\Local\Temp\~DF16DA5A164BEC4F4B.TMP

MD5 ca9f0bff96742a8d619e6f5eb9e6afef
SHA1 d50fd84c64bf0575bf8ae37b00219d85f5386a0f
SHA256 52ec9ed75356c44f4a41a73eeec04f5b07948381132bde117e109c6aec7730c7
SHA512 aedad1366d5051f6f1193eca2bf422211046ad2b781f410b27e9bdec77127edceb7d9c44644d8fe5ade7347c2a799d5b8801c0f8aaac5d409d6beac4b0537d0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06e508123ad6ae70d681863de9995adf
SHA1 e3c13762c0a02e5eee43c2afec60a06340b1d8bf
SHA256 8eb035bf435f97592c7d0906ff3d97bb294d2d987e62f9cd0e33be227a8355d0
SHA512 843b5d4d1a224e1606cbc821298ba81e6d99747f4c7a99e20acb6bda820b1b1dfde989bf7bd042b305845bd046aa39d3b73f5cb1331f6536449a00172646701d