Malware Analysis Report

2025-04-14 06:58

Sample ID 230926-c9ncasfb29
Target d242355dfa20d58280aa72867f41ce60.bin
SHA256 15215ef1a38db2cc2c73260fe2fdebb86cc367675d20f0c02f02165cb6b8ea49
Tags
djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper infostealer loader ransomware spyware stealer trojan microsoft evasion persistence phishing rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15215ef1a38db2cc2c73260fe2fdebb86cc367675d20f0c02f02165cb6b8ea49

Threat Level: Known bad

The file d242355dfa20d58280aa72867f41ce60.bin was found to be: Known bad.

Malicious Activity Summary

djvu fabookie glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) up3 backdoor discovery dropper infostealer loader ransomware spyware stealer trojan microsoft evasion persistence phishing rootkit

Detected Djvu ransomware

Glupteba

Glupteba payload

Windows security bypass

Djvu Ransomware

Detect Fabookie payload

Fabookie

UAC bypass

SmokeLoader

RedLine

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Windows security modification

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Manipulates WinMonFS driver.

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

System policy modification

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Creates scheduled task(s)

Runs net.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 02:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 02:46

Reported

2023-09-26 02:49

Platform

win7-20230831-en

Max time kernel

27s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2740 set thread context of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FCDB.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 1260 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 1260 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 1260 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 1260 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 1260 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 1260 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 1260 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 2664 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8CD6.exe C:\Users\Admin\AppData\Local\Temp\8CD6.exe
PID 1260 wrote to memory of 2856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1260 wrote to memory of 2856 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2856 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1260 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9244.exe
PID 1260 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9244.exe
PID 1260 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9244.exe
PID 1260 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\9244.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe
PID 2740 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\8B5E.exe C:\Users\Admin\AppData\Local\Temp\8B5E.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe

"C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe"

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8F27.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8F27.dll

C:\Users\Admin\AppData\Local\Temp\9244.exe

C:\Users\Admin\AppData\Local\Temp\9244.exe

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9244.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ceb5d598-d85f-4f45-b93e-c1a74d7156c3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c2772d6b-9051-4643-b023-69c70bedc332" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:640 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

"C:\Users\Admin\AppData\Local\Temp\8CD6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B649.exe

C:\Users\Admin\AppData\Local\Temp\B649.exe

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

"C:\Users\Admin\AppData\Local\Temp\8B5E.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

"C:\Users\Admin\AppData\Local\Temp\8CD6.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\FCDB.exe

C:\Users\Admin\AppData\Local\Temp\FCDB.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 52

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\is-HGKKE.tmp\is-EE2FS.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HGKKE.tmp\is-EE2FS.tmp" /SL4 $601CE "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

"C:\Users\Admin\AppData\Local\Temp\8B5E.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230926024802.log C:\Windows\Logs\CBS\CbsPersist_20230926024802.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build2.exe

"C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build2.exe"

C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build2.exe

"C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build2.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build3.exe

"C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build3.exe"

C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build3.exe

"C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build3.exe"

C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build2.exe

"C:\Users\Admin\AppData\Local\cafd0a93-5d4d-44bf-8c27-c68bce239a35\build2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.1:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 84.53.175.19:80 apps.identrust.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
PL 146.59.10.173:45035 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
KR 115.88.24.200:80 colisumy.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 zexeq.com udp
KR 115.88.24.200:80 colisumy.com tcp
MX 189.169.23.253:80 zexeq.com tcp
MX 187.134.55.247:80 zexeq.com tcp
MX 187.134.55.247:80 zexeq.com tcp
MX 189.169.23.253:80 zexeq.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/2232-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2232-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/2232-3-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1260-4-0x0000000002980000-0x0000000002996000-memory.dmp

memory/2232-5-0x0000000000400000-0x000000000259F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2664-23-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2664-24-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/2664-25-0x0000000003F60000-0x000000000407B000-memory.dmp

memory/2892-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2892-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2892-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2892-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F27.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

\Users\Admin\AppData\Local\Temp\8F27.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

memory/2752-39-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2752-40-0x0000000010000000-0x000000001019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9244.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\9244.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2640-46-0x00000000009D0000-0x0000000000A62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/2980-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/2980-51-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/2740-54-0x0000000000300000-0x0000000000391000-memory.dmp

memory/2740-55-0x0000000001DC0000-0x0000000001EDB000-memory.dmp

memory/2980-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2640-57-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2980-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2640-59-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/2640-61-0x0000000000560000-0x000000000059A000-memory.dmp

memory/2640-68-0x00000000004E0000-0x00000000004FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA0A3.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarA1CE.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d813211a9b8931ade07d6e777d74801
SHA1 fb6b079b7d5d401c7507045c63396abe200df53f
SHA256 44690241a600243e7b01760e248515571b27c2182082700e5da6ed10110d123d
SHA512 c69328cebb8a03d37da0bc5d12605d0d6dc70eb53b677b5424f04816ef3bb9e2fb503bfded4e882334cfa86f6c1558573d01172ffad89b89aec0ebd9e3eaa50d

memory/2752-93-0x0000000002130000-0x000000000223F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7c5f990cddfa6c7e362507702bddaa0f
SHA1 372a565213a7e3a54958f66fa090ead4eada420d
SHA256 73451482258705f4ac44b09b1e4520d552c0883c1054df562e8a32d939d8d198
SHA512 bc5d4eb99b29c92a2990268d091af60d849e0545e3797ad189215b6194ea3ade79ecef46fdd98e0752e837dae8a3b4511cc0e869614ef1063e53c58752d14b49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7c5f990cddfa6c7e362507702bddaa0f
SHA1 372a565213a7e3a54958f66fa090ead4eada420d
SHA256 73451482258705f4ac44b09b1e4520d552c0883c1054df562e8a32d939d8d198
SHA512 bc5d4eb99b29c92a2990268d091af60d849e0545e3797ad189215b6194ea3ade79ecef46fdd98e0752e837dae8a3b4511cc0e869614ef1063e53c58752d14b49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 7c5f990cddfa6c7e362507702bddaa0f
SHA1 372a565213a7e3a54958f66fa090ead4eada420d
SHA256 73451482258705f4ac44b09b1e4520d552c0883c1054df562e8a32d939d8d198
SHA512 bc5d4eb99b29c92a2990268d091af60d849e0545e3797ad189215b6194ea3ade79ecef46fdd98e0752e837dae8a3b4511cc0e869614ef1063e53c58752d14b49

memory/1064-106-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-108-0x0000000002240000-0x0000000002335000-memory.dmp

memory/1064-110-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2752-114-0x0000000002240000-0x0000000002335000-memory.dmp

memory/1064-113-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 648a4a4cac5dd24cc67c5797e55ee73a
SHA1 dd9f2d961ddd77fa02c1b4fae17bdd2d151e9f45
SHA256 1d755276fb14ec1e8ae3aca31641dd2de61cd53ec2a796be12e5c70f0d5ea0cd
SHA512 178c57644067a53b4c5a28dd4e9e6d246b584dc2c851c9bf83bfdcc113fdf36ca7317d1a25ea5acdaedc74a8fde91b558b97cff178e7c3ba7bfd443fb6152e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ad0c898d70b35a88cfaeb770ac3cfe5
SHA1 6366c58f9974ef05b87e917980b9132c34c81cd7
SHA256 b82ef6b5fe3462b456b10399b0553ae72abc2578ef1b5835c7408641ac994f8a
SHA512 892ce1f66b04b543c9e4c240b907b958e474f59896a675cbb36be07f91f64e6a090df0e2022021419957b0b93f205383098ad4a9d881bfdd2404069704dc552d

memory/2752-137-0x0000000002240000-0x0000000002335000-memory.dmp

memory/2640-145-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/1956-147-0x000000006ED00000-0x000000006F2AB000-memory.dmp

memory/1956-146-0x000000006ED00000-0x000000006F2AB000-memory.dmp

memory/1956-148-0x0000000002320000-0x0000000002360000-memory.dmp

C:\Users\Admin\AppData\Local\ceb5d598-d85f-4f45-b93e-c1a74d7156c3\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\c2772d6b-9051-4643-b023-69c70bedc332\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/1956-151-0x0000000002320000-0x0000000002360000-memory.dmp

memory/1956-152-0x0000000002320000-0x0000000002360000-memory.dmp

\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2892-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/968-159-0x0000000002690000-0x0000000002722000-memory.dmp

memory/2980-164-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/560-174-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\8B5E.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/2980-177-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B649.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/560-173-0x0000000000A30000-0x00000000010C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B649.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\8CD6.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\FCDB.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\FCDB.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/968-282-0x0000000002690000-0x0000000002722000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2472-284-0x00000000FF030000-0x00000000FF0D2000-memory.dmp

memory/1896-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-287-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-288-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-289-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1896-290-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-292-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-294-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1896-297-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1896-300-0x0000000000310000-0x0000000000316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1372-307-0x0000000002630000-0x0000000002730000-memory.dmp

memory/1372-308-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1956-309-0x000000006ED00000-0x000000006F2AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\FCDB.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

\Users\Admin\AppData\Local\Temp\FCDB.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/1208-317-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1208-319-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\FCDB.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ad0c898d70b35a88cfaeb770ac3cfe5
SHA1 6366c58f9974ef05b87e917980b9132c34c81cd7
SHA256 b82ef6b5fe3462b456b10399b0553ae72abc2578ef1b5835c7408641ac994f8a
SHA512 892ce1f66b04b543c9e4c240b907b958e474f59896a675cbb36be07f91f64e6a090df0e2022021419957b0b93f205383098ad4a9d881bfdd2404069704dc552d

memory/1732-348-0x0000000004570000-0x0000000004968000-memory.dmp

memory/1732-349-0x0000000004570000-0x0000000004968000-memory.dmp

memory/1732-351-0x0000000000400000-0x0000000002985000-memory.dmp

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3004-367-0x0000000000BE0000-0x0000000000D54000-memory.dmp

memory/560-368-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

memory/560-371-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

memory/1732-370-0x0000000004970000-0x000000000525B000-memory.dmp

memory/1896-372-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

memory/3004-373-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

memory/1208-384-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1260-382-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/1772-395-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b8a27931c473cd40b0a71cd8384b834
SHA1 35ec5179fbcc703954762b6c130b6e4ff227e551
SHA256 a087a4eb2b1f57e14dc10cb98fd07a99c50041663671d66b66b3da8dfbd9e099
SHA512 6cf881197e85b183eeef4dde029a49029d59b8dff22b7608d2e2f5ba4fb7599df151fca150d9ffc34f5c3ecefaafb8dcf9125214871c5d83ee717cdeaa684d4d

\Users\Admin\AppData\Local\Temp\is-HGKKE.tmp\is-EE2FS.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\is-HGKKE.tmp\is-EE2FS.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\is-HGKKE.tmp\is-EE2FS.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1896-424-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

memory/2624-425-0x0000000001230000-0x0000000001238000-memory.dmp

memory/3004-426-0x000000006D5D0000-0x000000006DCBE000-memory.dmp

memory/1068-549-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1068-551-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5903d385a4bd31dbc6bf4de37c6b7fdd
SHA1 463ee4f3b3cfe04e6204d0dae1448dd7c93fbdf4
SHA256 d78631142b07907fe9d79a11ebf8233b7311f79c875c499236e5dc00f132d837
SHA512 db4db07cc7eef2d8ee67b60585ae30b6fafb98c2765950172dc06697ec66510182baf6d7d615b4d05979867d691b941f41bd695445e81856f8fd494496e03024

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1660a179645d599aea0ba89ecc2e0c7
SHA1 c266212935a3b507e185b70226b6e79ce281dff2
SHA256 a28e863566545e561f998cb16dc9f146e784a8ccb618f861b295dcf63bf9b4f8
SHA512 b5ed0879857fbca04e15ad7424984a14d3da6efa69e0b79d789f946553985e50149e91b4e3c56913ba6418ee636da74e9d872633b74f769eb3edddf45d0e39c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b49ce1a3b7831f3b942d31798cabd28
SHA1 ad824f6357d081d815e26dc62b6970128777fac8
SHA256 642feaa0927c6f105e111d2bbaa7010278fb19830c19ec19b286befaee007167
SHA512 0ddf0bf76905427e301aa8bc66ba3f70055023b2d7b84b5f02be4b316dce27149b9d26a399b267195e891fed00fdc6f8149a354c71492d505aaebacf08082740

memory/2624-726-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c715f0c3616e6be9087bcfa1a1d6749
SHA1 9eb6045eecf868af0efa6e1df2e275edee4305bf
SHA256 c5d0e54b4f83b04f31f80cfd9a461a2369f724d262b5a1c55fb4f2829cbbd0cd
SHA512 ec021aa4664cbee44f136c1a37bf2191718bde850594f17746c98abb28038bf7c8518a60ca8f6525b5f5578992edbc4c0f829ba5522b54b9caf056241d38ae09

memory/1732-727-0x0000000000400000-0x0000000002985000-memory.dmp

memory/1588-746-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-747-0x0000000000A80000-0x0000000000C71000-memory.dmp

memory/2624-748-0x000000001B230000-0x000000001B2B0000-memory.dmp

memory/1588-749-0x0000000000A80000-0x0000000000C71000-memory.dmp

memory/2716-750-0x0000000003750000-0x0000000003941000-memory.dmp

memory/2716-751-0x0000000003750000-0x0000000003941000-memory.dmp

memory/2472-756-0x0000000002D80000-0x0000000002EF1000-memory.dmp

memory/2472-759-0x0000000003590000-0x00000000036C1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c2404f70d9907fc6a0bd13486af0198
SHA1 5ec945986efd8afe08924c6ef78c0ab20f41b5df
SHA256 c69f975c9bcd8d62c28e5c032f50b965babb5239f40fff8c2d7e597e54a395a6
SHA512 6c859f644fbd341ab31248e89c3a142225a71d4b5cffa96124b2372cdfc963e6ce630c0ecf3d820029417244bcd9dded9cbdee12850985e6f2c1ed419f515e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63be64fc8ec7848165afcd5d3312bbd1
SHA1 06cee26bfcff39e0485cf5e0d13a2df59254dee7
SHA256 9ec777e6f3ba55459c1259bb857e091154aba7881b7b922348f83d596ecbc1a3
SHA512 17cad291046c6ffe3558cbbb4274ff84be3b8be22ab27aeaeac7b9f1a6e3cf1e1f67e81c18dbcd7bb35ca045abe22a79b1947b33272f12140d26e2f5340dda2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b019828d4994f47f6c1a7f4f1f7f920a
SHA1 c0296cffc696c9081d5c645edd37241c6f438075
SHA256 5a4d42e87ca342cd8742b988418bcff1a389f78c6c511a59ea9c85be550fd8dd
SHA512 6475b4f9c7d6095bb3173dc9fb8855baf5d7f4ee3e7d2dc4f487bb06fde419eb8132738175508c28b84551fe0ae4852c4974d3dd3bc9aaa1f776affc7e9c806d

memory/1896-879-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 669046bbea27fb1473f92c32696846ac
SHA1 092c72b487dd926674913d7d5a7a7291a69e12e9
SHA256 17c2113a0268a59409aa38238c07f45badccc961becfb782225f9d7e5d62f52e
SHA512 0f95a4f89da6260015ae238463b26a9a19e41c80837883624e83f1256d284276882c15da93be2ddbfa40c0532a89d2ecf49fcfd13436607fd1942e59296856e7

memory/1976-882-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1772-948-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1092-949-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2624-1038-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

memory/1588-1041-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1588-1042-0x0000000000A80000-0x0000000000C71000-memory.dmp

memory/2624-1043-0x000000001B230000-0x000000001B2B0000-memory.dmp

memory/1588-1044-0x0000000000A80000-0x0000000000C71000-memory.dmp

memory/568-1045-0x00000000042D0000-0x00000000046C8000-memory.dmp

C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build2.exe

MD5 b298c49f1808cc5d93dcc3dfc088b10f
SHA1 c0b8e909d0ef573e0f5a4e25870a63f3f6ee1306
SHA256 ffaed8dcf0282df833b74faf419729dc20951ee7edbb58103fa5c582e93d5f3a
SHA512 1b75aeaa793b5aa92769f68bb0f677206394f5b28e7ac1a23f6be923af812a5a9033920af0c2de1e6805e46a5c9ec283ddecd879b1264d75d7b4190266028895

C:\Users\Admin\AppData\Local\5f5da0b9-5995-4914-80cd-c3fb690ef81e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/1732-1056-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae9dce7aa864dd95f89d31631ace2c1e
SHA1 a17514e53d2b744a75bd00a6315f0eb193f816e8
SHA256 0e1f5c22010ff42fbd18e0adedb74e9afa6483fa9901e637337df2fba2831974
SHA512 ee9342bcbce4df98fdec97a780f45a206f26d583552a2c090896792de49291bc54305d07664106d42d90acfeac1bf6887a5570df88abf8689c6a430415d3d045

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-26 02:46

Reported

2023-09-26 02:49

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D247.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D247.exe = "0" C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\D247.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCA8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E95C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D247.exe = "0" C:\Users\Admin\AppData\Local\Temp\D247.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\907dc741-2760-4e39-94f5-a129ef544d62\\CBFC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CBFC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D247.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D247.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-MPGB3.tmp C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-IJH4D.tmp C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-5B6P9.tmp C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-D5Q5S.tmp C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2F3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2F3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E2F3.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe
PID 3168 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe
PID 3168 wrote to memory of 420 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAD2.exe
PID 3168 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 3168 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 3168 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 3168 wrote to memory of 532 N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe
PID 3168 wrote to memory of 532 N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe
PID 532 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\regsvr32.exe
PID 532 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\regsvr32.exe
PID 532 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4792 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 3168 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D247.exe
PID 3168 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D247.exe
PID 3168 wrote to memory of 2476 N/A N/A C:\Users\Admin\AppData\Local\Temp\D247.exe
PID 3168 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe
PID 3168 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe
PID 3168 wrote to memory of 2688 N/A N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe
PID 2476 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2476 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\D247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 4740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Windows\SysWOW64\icacls.exe
PID 4740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Windows\SysWOW64\icacls.exe
PID 4740 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Windows\SysWOW64\icacls.exe
PID 3168 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F3.exe
PID 3168 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F3.exe
PID 3168 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2F3.exe
PID 2688 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 2688 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 3168 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\E95C.exe
PID 3168 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\E95C.exe
PID 3168 wrote to memory of 4512 N/A N/A C:\Users\Admin\AppData\Local\Temp\E95C.exe
PID 2688 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2688 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2688 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4740 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4740 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4740 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\CBFC.exe C:\Users\Admin\AppData\Local\Temp\CBFC.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4492 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2688 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2688 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2688 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\DCA8.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\D247.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe

"C:\Users\Admin\AppData\Local\Temp\d41ca3f8c094abda9409b9c405bdcdf6eb79856a0ecf5ac3a358c2fc6760f7d4.exe"

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CDC2.dll

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CDC2.dll

C:\Users\Admin\AppData\Local\Temp\D247.exe

C:\Users\Admin\AppData\Local\Temp\D247.exe

C:\Users\Admin\AppData\Local\Temp\DCA8.exe

C:\Users\Admin\AppData\Local\Temp\DCA8.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D247.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\907dc741-2760-4e39-94f5-a129ef544d62" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E2F3.exe

C:\Users\Admin\AppData\Local\Temp\E2F3.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

"C:\Users\Admin\AppData\Local\Temp\CBFC.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E95C.exe

C:\Users\Admin\AppData\Local\Temp\E95C.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

"C:\Users\Admin\AppData\Local\Temp\CBFC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 568

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffbd9146f8,0x7fffbd914708,0x7fffbd914718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp" /SL4 $C0054 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 236

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

"C:\Users\Admin\AppData\Local\Temp\CAD2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fffbd9146f8,0x7fffbd914708,0x7fffbd914718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

"C:\Users\Admin\AppData\Local\Temp\CAD2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4224 -ip 4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7821115416344703643,16914607085039785342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 147.25.221.88.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 97.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 46.51.199.218:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 218.199.51.46.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 3a2d2c83-39b4-4311-a5c8-5e9c4534cab2.uuid.cdneurops.health udp
US 8.8.8.8:53 gudintas.at udp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
US 8.8.8.8:53 79.216.224.84.in-addr.arpa udp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
HU 84.224.216.79:80 gudintas.at tcp
US 8.8.8.8:53 server6.cdneurops.health udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp

Files

memory/3816-1-0x00000000026B0000-0x00000000027B0000-memory.dmp

memory/3816-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/3816-3-0x0000000002670000-0x0000000002679000-memory.dmp

memory/3168-4-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/3816-6-0x0000000000400000-0x000000000259F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/4792-21-0x00000000042D0000-0x0000000004369000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDC2.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

memory/4792-22-0x00000000043A0000-0x00000000044BB000-memory.dmp

memory/4740-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/4740-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDC2.dll

MD5 48f159eb8ee833c75465d11649f27241
SHA1 210f681927a2e048fabd4fa555c3ebc894f9919a
SHA256 49595fa6ef17c2317e84c8a43385075bc3974f3bd957d86f7340be3948719838
SHA512 762233817ce8da045e326c66b96fd9f2d1fc89f2fb08109260ecb04426d9f4e66af49393407517ef062ceb334e72dd41d2ea449ab34ed51033a9d043a96be9cf

memory/4740-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4740-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4132-31-0x0000000001180000-0x0000000001186000-memory.dmp

memory/4132-30-0x0000000010000000-0x000000001019A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D247.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\D247.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2476-37-0x0000000072A60000-0x0000000073210000-memory.dmp

memory/2476-38-0x0000000000730000-0x00000000007C2000-memory.dmp

memory/2476-39-0x0000000005200000-0x000000000529C000-memory.dmp

memory/2476-41-0x00000000056E0000-0x0000000005772000-memory.dmp

memory/2476-40-0x0000000005B90000-0x0000000006134000-memory.dmp

memory/2476-42-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/2476-43-0x0000000005130000-0x000000000516A000-memory.dmp

memory/2476-46-0x0000000005190000-0x00000000051AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCA8.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\DCA8.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2688-52-0x0000000000CF0000-0x0000000001384000-memory.dmp

memory/2688-53-0x0000000072A60000-0x0000000073210000-memory.dmp

memory/4132-51-0x0000000002D60000-0x0000000002E6F000-memory.dmp

memory/764-58-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\907dc741-2760-4e39-94f5-a129ef544d62\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/2476-74-0x0000000072A60000-0x0000000073210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2116-80-0x00007FF75AC90000-0x00007FF75AD32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\E95C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4132-99-0x0000000002E70000-0x0000000002F65000-memory.dmp

memory/4988-98-0x0000000002610000-0x0000000002620000-memory.dmp

memory/4988-96-0x0000000072A60000-0x0000000073210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\E95C.exe

MD5 5c5eb6489ecad14a5161afa90f965adc
SHA1 6922636c390d47f9a77dd30a1ef20a91a369587f
SHA256 cd0a41dd6a4877a00dce17561da67e03b99a6d88886be9b4b035735d16f1429d
SHA512 46c7d4f26a742d793bf26d430e6f185b2de8f5b7c6a6f7cf0c2bf14d971591c23cc2537341174548f7cfb3a1bc216d14ef95c9008a4bad068b8c8323ecdcdd1c

memory/4132-89-0x0000000002E70000-0x0000000002F65000-memory.dmp

memory/4988-88-0x0000000002520000-0x0000000002556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2F3.exe

MD5 7d743b59dffa34ff9bb5d82196d74b37
SHA1 66de2cc818789d7f4e0620ca10b0309dbc4278f9
SHA256 147b7c2bd74eaf54d96146d84b6732d10079e129a06a1f84b1b59067925d74fe
SHA512 85ea15e8f4673bd78ceec0d0fbee76e64c3072c1fcabec1358699ab7343f2dc9950cec56de6d2b548f75caaf9c02488c354751ec57d548170d28e6721ec7f009

C:\Users\Admin\AppData\Local\Temp\E2F3.exe

MD5 7d743b59dffa34ff9bb5d82196d74b37
SHA1 66de2cc818789d7f4e0620ca10b0309dbc4278f9
SHA256 147b7c2bd74eaf54d96146d84b6732d10079e129a06a1f84b1b59067925d74fe
SHA512 85ea15e8f4673bd78ceec0d0fbee76e64c3072c1fcabec1358699ab7343f2dc9950cec56de6d2b548f75caaf9c02488c354751ec57d548170d28e6721ec7f009

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/4740-104-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4988-111-0x0000000005000000-0x0000000005628000-memory.dmp

memory/4492-113-0x00000000026C0000-0x00000000026C9000-memory.dmp

memory/4988-116-0x0000000002610000-0x0000000002620000-memory.dmp

memory/3936-119-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4492-110-0x0000000002720000-0x0000000002820000-memory.dmp

memory/3936-112-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4740-128-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3436-137-0x0000000000C50000-0x0000000000DC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4132-132-0x0000000002E70000-0x0000000002F65000-memory.dmp

memory/2688-138-0x0000000072A60000-0x0000000073210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1420-142-0x00000000046B0000-0x0000000004AB7000-memory.dmp

memory/1120-143-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3436-145-0x0000000072A60000-0x0000000073210000-memory.dmp

memory/1120-146-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

memory/4288-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4988-158-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ici53rms.0uv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4288-163-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4988-164-0x00000000058F0000-0x0000000005956000-memory.dmp

memory/4988-165-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/1076-157-0x000000000417B000-0x000000000420D000-memory.dmp

memory/4288-149-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBFC.exe

MD5 c082d1ba8c66d2c5adee770992c8c249
SHA1 b32b610c10181cd4dad3c40e7a86c709f6127fc2
SHA256 dc22f70898991db18ea5974191e1509bdb7a10bfc3b02333a4965af6374a0375
SHA512 ceb59c18fff468974b2c4f35922459d8be91d760368fbda9e1e6d9e485e53848a6745db0a9375e7be13d16f7362cf21f87e256be1d9cae31233c88726199e194

memory/3168-175-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/1120-177-0x0000000005160000-0x000000000526A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1120-190-0x00000000050F0000-0x000000000512C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/532-208-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/3740-210-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/420-221-0x0000000002200000-0x000000000231B000-memory.dmp

memory/1120-223-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/420-220-0x00000000005E0000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PMNTD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4744-250-0x0000000000600000-0x0000000000601000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3740-243-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4224-255-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4224-259-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4988-265-0x0000000005E70000-0x0000000005E8E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

memory/4988-268-0x0000000072A60000-0x0000000073210000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 f56621d43f69838d6250c9fe369d0b8b
SHA1 1d071d9b3a319504fe6645b1a5d4c375a57b49e2
SHA256 6f0dee15ae9cd72209baec307fb80296992e836eac303296102a6a6a30014670
SHA512 06eeedb49655b8111a6e10d9877e4e122ea88c683fe1d07bd99a832e902a90c4425347dcd657bc56b417cf9d528b14522ea716c9edd8839b0a9a1626d66f3bf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 2c121ce6e23d942eddc78a1cb3daa854
SHA1 01066eada382dc8d3776905357a4cf551314d17c
SHA256 2d188c2d0bd32ff12e4f28f9bd0e2b5eb8af69f2fe9b25bfc9608817d10576bd
SHA512 6e35d1a19eab136c70ca5cadf1cdbeaecf64284e363fed746c63e7ed2caba0e58b3f0ca65c71f433a0d89da2437f05e8c5ea923188bd913c7b3aa4ae509b3f1f

memory/4224-256-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1420-270-0x0000000000400000-0x0000000002985000-memory.dmp

memory/4988-274-0x0000000002610000-0x0000000002620000-memory.dmp

memory/3884-275-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/532-240-0x00007FFFBFF50000-0x00007FFFC0A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

C:\Users\Admin\AppData\Local\Temp\is-PMNTD.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-PMNTD.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-LRLC7.tmp\is-KSTLN.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3740-222-0x0000000000400000-0x0000000000537000-memory.dmp

memory/532-217-0x000000001B010000-0x000000001B020000-memory.dmp

memory/3740-215-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/3436-209-0x0000000072A60000-0x0000000073210000-memory.dmp

memory/1420-211-0x0000000004AC0000-0x00000000053AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/4232-205-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1120-194-0x0000000005270000-0x00000000052BC000-memory.dmp

memory/1120-191-0x0000000072A60000-0x0000000073210000-memory.dmp

memory/4232-188-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1120-184-0x0000000005090000-0x00000000050A2000-memory.dmp

memory/3936-180-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4988-176-0x0000000005A30000-0x0000000005D84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4988-284-0x0000000002610000-0x0000000002620000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/3740-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1120-167-0x0000000005670000-0x0000000005C88000-memory.dmp

memory/1120-293-0x0000000005400000-0x0000000005476000-memory.dmp

memory/1420-166-0x0000000000400000-0x0000000002985000-memory.dmp

memory/4232-298-0x0000000000400000-0x0000000000413000-memory.dmp

\??\pipe\LOCAL\crashpad_2932_KLZDFOMYXKIANEAT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4744-334-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 40b20900824997376844934909b7d1aa
SHA1 b5c79e9162a67a45bdb948cbaceb598daf4085fb
SHA256 77fc8562f361d4a77b90a8b40627e09fe2e26f1ba42ec1d51ed3b8c201cde9ac
SHA512 81d22310b7026430d8810c137e3b6093ebea7d6b215cd5da9e6dba2d5a5853e60dc2ea86afab7217836453eb01d81124cad20337ab159f96c52a86a69aa510c2

memory/3168-376-0x0000000002E40000-0x0000000002E56000-memory.dmp

memory/2136-380-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1420-381-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Temp\CAD2.exe

MD5 288a6a5ad3d2e862797b5d396101bcdc
SHA1 b6a0d1f77689e1c951c7e858c69079584efa0385
SHA256 ed8a375b3dd7fd9eeb27f212567dc09884ad47a4dac4f73a4b25e3708ee3d7f6
SHA512 0b2c754608e4c64edfd612c88a99e89026f3951f9c4d67fd028a20ad7e78302ad568224a79cb36838adecd0e67479b2d0fd34f45d3f6e35e4796fcf4c3b1aede

memory/4224-427-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4224-433-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4224-428-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7b31f57d1bd0c779a679b646cdaa2841
SHA1 4df19c242d849d92a6904b7d5cfabf98955b8fcc
SHA256 552d6322006af348bcc8459336b0b568e0539a83f843cddc9e5f984e7dffcb7a
SHA512 c02c34c98fd276a4f4a638e04ce413031a2652cff02a68173c597bbfbb1e052010195ed1519144bd21d9f6e7ca2c64f11900fd70363d7492d8c56dc9b710ac34

memory/3884-457-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5313ce330cdfda56bc1d95d37759b54e
SHA1 7a3cbc82c39f10f13536705a887b1d3b98d5785e
SHA256 bcb369e8cd9cd156c9a5507ee4eb60f16f6270ee6d64e3b2e8e442eb407acbb7
SHA512 bd880cf49d38862b22bbaea2cc78d27f101d684dfc15f2389b3c549c068f912bc4dcc310518ff5f3895aa4bb707f692f25e7e9bed143c70e0bdc2ef038070f52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1420-503-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c2b393a5ca447c47876109fc43ad37ea
SHA1 247fe3340c2101dfab83c43a8c28b493e55fcbbc
SHA256 54a6d9ff2da4e6c587de4f2e6277ec586b905a51d8da2b7a849739e600c85cd3
SHA512 f24af96abad6bfb79c93d100256d76aa52ac69a15e9bbaa14350ac27989696dd93553c46b1c01b04c218a58d6b22ce6c6bbe4a6156debbd11ce384667dec3586

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 af68d3fc441b89e8c376e21afdcd2548
SHA1 fbae5fb9961977049510cf8d8b6a387b129155e0
SHA256 105f9e65dbd656af708144b3414e1e71b27242467519fead5ef1004c02ce0984
SHA512 473a29b070986974973ef4afe9c8c7a137c952036fb48bd82eaafcc8dc1c69c58fb3b4e21a820e009333a234e907486a1ec8d28a5c3ca4845d50c73d53953d1b

C:\Windows\rss\csrss.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Windows\rss\csrss.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d742ed2bc783f35a2243d6dae76753b5
SHA1 59b6a970d5ccd74a01c717eba47349c0277ffb97
SHA256 1e4e881a8c0e370a82fad0ce04a77b21691658948582aa481a9982d5225c3a86
SHA512 5a8e360aa3ac0850d3ee821b92f3e439387ff88110750d419c0e195267f9759380e4827c4a48c84274f63033426638a58fae329f51cb0fe1eff63eaee4024052

C:\Users\Admin\AppData\Roaming\acwfias

MD5 7d743b59dffa34ff9bb5d82196d74b37
SHA1 66de2cc818789d7f4e0620ca10b0309dbc4278f9
SHA256 147b7c2bd74eaf54d96146d84b6732d10079e129a06a1f84b1b59067925d74fe
SHA512 85ea15e8f4673bd78ceec0d0fbee76e64c3072c1fcabec1358699ab7343f2dc9950cec56de6d2b548f75caaf9c02488c354751ec57d548170d28e6721ec7f009

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e0c32170e0b9d1adcd719c99d4657a9b
SHA1 fe41f67ac662bb44eba6b649912242a590281c42
SHA256 4814019e9178b288e334328b0703109ff98194c243d79d99b6518e537579ade4
SHA512 be15082a268ad82986dcc998135c5430ab0c1f6b2e3957d5235693d6f88265fb63a7072d4a9ba5447728a08e57c4c6f1207d34630d2bb520d341ae0e84cf881a