Malware Analysis Report

2025-04-14 06:37

Sample ID 230926-lghqsahd86
Target 94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b
SHA256 94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b
Tags
djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b

Threat Level: Known bad

The file 94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor microsoft discovery dropper evasion infostealer loader persistence phishing ransomware spyware stealer trojan

UAC bypass

SmokeLoader

Detected Djvu ransomware

Djvu Ransomware

Glupteba

Glupteba payload

Windows security bypass

RedLine

Downloads MZ/PE file

Modifies Windows Firewall

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

System policy modification

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 09:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 09:30

Reported

2023-09-26 09:32

Platform

win10v2004-20230915-en

Max time kernel

101s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4E7A.exe = "0" C:\Users\Admin\AppData\Local\Temp\4E7A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\4E7A.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4CE3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64B2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6FA1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\4E7A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\4E7A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4E7A.exe = "0" C:\Users\Admin\AppData\Local\Temp\4E7A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a1afde1-499a-4aa1-944c-f06ca0f101ee\\4CE3.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\4CE3.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-RE4R5.tmp C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-ECLCF.tmp C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GPOU7.tmp C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-H6H85.tmp C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6C26.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6C26.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6C26.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 3120 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 3120 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 3120 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E7A.exe
PID 3120 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E7A.exe
PID 3120 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E7A.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2188 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Windows\SysWOW64\icacls.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Windows\SysWOW64\icacls.exe
PID 1676 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Windows\SysWOW64\icacls.exe
PID 1676 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 1676 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 1676 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3120 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe
PID 3120 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe
PID 3120 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 4180 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\4CE3.exe C:\Users\Admin\AppData\Local\Temp\4CE3.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2760 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\kos.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 3120 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C26.exe
PID 3120 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C26.exe
PID 3120 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C26.exe
PID 3180 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 3180 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 3120 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\6FA1.exe
PID 3120 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\6FA1.exe
PID 3120 wrote to memory of 4100 N/A N/A C:\Users\Admin\AppData\Local\Temp\6FA1.exe
PID 3180 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3180 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3180 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3180 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\64B2.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3120 wrote to memory of 224 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3120 wrote to memory of 224 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4100 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\6FA1.exe C:\Users\Admin\AppData\Local\Temp\6FA1.exe
PID 4100 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\6FA1.exe C:\Users\Admin\AppData\Local\Temp\6FA1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe

"C:\Users\Admin\AppData\Local\Temp\94e30e7702369df7b44d0032d788e1d7a112190ac9073e43681ae0941b22cb6b.exe"

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

C:\Users\Admin\AppData\Local\Temp\4E7A.exe

C:\Users\Admin\AppData\Local\Temp\4E7A.exe

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6a1afde1-499a-4aa1-944c-f06ca0f101ee" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

"C:\Users\Admin\AppData\Local\Temp\4CE3.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4E7A.exe" -Force

C:\Users\Admin\AppData\Local\Temp\64B2.exe

C:\Users\Admin\AppData\Local\Temp\64B2.exe

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

"C:\Users\Admin\AppData\Local\Temp\4CE3.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2496 -ip 2496

C:\Users\Admin\AppData\Local\Temp\6C26.exe

C:\Users\Admin\AppData\Local\Temp\6C26.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 568

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\74E2.dll

C:\Users\Admin\AppData\Local\Temp\7689.exe

C:\Users\Admin\AppData\Local\Temp\7689.exe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\74E2.dll

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4612 -ip 4612

C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp" /SL4 $F0066 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8a8a46f8,0x7ffc8a8a4708,0x7ffc8a8a4718

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

"C:\Users\Admin\AppData\Local\Temp\6FA1.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2112 -ip 2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8a8a46f8,0x7ffc8a8a4708,0x7ffc8a8a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 276

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

"C:\Users\Admin\AppData\Local\Temp\6FA1.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4170544260769632345,11454117555492352547,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4170544260769632345,11454117555492352547,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,2291796988078806621,10433305132811542386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\A90F.exe

C:\Users\Admin\AppData\Local\Temp\A90F.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.97.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 52.211.144.29:443 mscom.demdex.net tcp
US 8.8.8.8:53 29.144.211.52.in-addr.arpa udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 gudintas.at udp
MX 201.119.80.5:80 gudintas.at tcp
US 8.8.8.8:53 5.80.119.201.in-addr.arpa udp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
MX 201.119.80.5:80 gudintas.at tcp
US 8.8.8.8:53 ghourinetworks.com udp
US 104.153.72.202:443 ghourinetworks.com tcp
MX 201.119.80.5:80 gudintas.at tcp
US 8.8.8.8:53 202.72.153.104.in-addr.arpa udp
US 8.8.8.8:53 db48e8e4-2ca7-4c3b-99fa-98b8078e9cbb.uuid.cdneurops.health udp
BG 91.191.209.110:8080 tcp
US 8.8.8.8:53 110.209.191.91.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
US 8.8.8.8:53 109.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 server10.cdneurops.health udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp

Files

memory/4548-1-0x00000000027E0000-0x00000000028E0000-memory.dmp

memory/4548-2-0x0000000002740000-0x0000000002749000-memory.dmp

memory/4548-3-0x0000000000400000-0x000000000259F000-memory.dmp

memory/3120-4-0x0000000003320000-0x0000000003336000-memory.dmp

memory/4548-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/4548-8-0x0000000002740000-0x0000000002749000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2188-18-0x0000000004250000-0x00000000042EC000-memory.dmp

memory/2188-19-0x00000000042F0000-0x000000000440B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4E7A.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\4E7A.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/1676-23-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/1676-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2760-26-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/2760-27-0x0000000000720000-0x00000000007B2000-memory.dmp

memory/1676-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1676-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2760-30-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/2760-31-0x0000000005B80000-0x0000000006124000-memory.dmp

memory/2760-32-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/2760-33-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/2760-34-0x0000000005150000-0x000000000518A000-memory.dmp

memory/2760-37-0x0000000005190000-0x00000000051AA000-memory.dmp

C:\Users\Admin\AppData\Local\6a1afde1-499a-4aa1-944c-f06ca0f101ee\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/4200-45-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1676-47-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64B2.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\64B2.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/4200-52-0x0000000002850000-0x0000000002860000-memory.dmp

memory/2496-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4200-59-0x0000000002810000-0x0000000002846000-memory.dmp

memory/3180-60-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/3180-58-0x0000000000210000-0x00000000008A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4CE3.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2496-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2760-62-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4200-64-0x0000000002850000-0x0000000002860000-memory.dmp

memory/2496-65-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4180-50-0x00000000028F0000-0x0000000002989000-memory.dmp

memory/3604-67-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4200-71-0x0000000005400000-0x0000000005A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C26.exe

MD5 2d911f49c957cc0281b3397a5baec56f
SHA1 561c0f8fc84e757d39cdf84534a0551989afada2
SHA256 55a81d333ac20da1e33993b3bcf7f9e44927776f4d50560fe358ef1d3cc9b413
SHA512 9dfaabbeb116d5b6c0521cc39c3fbdcf6c94f517da80314e59b670f1fd0a5fe537ac6307b33465f7a74c42437f880d5cc06aeab0dac9fbf99d73d646c1e869fe

memory/2760-74-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6C26.exe

MD5 2d911f49c957cc0281b3397a5baec56f
SHA1 561c0f8fc84e757d39cdf84534a0551989afada2
SHA256 55a81d333ac20da1e33993b3bcf7f9e44927776f4d50560fe358ef1d3cc9b413
SHA512 9dfaabbeb116d5b6c0521cc39c3fbdcf6c94f517da80314e59b670f1fd0a5fe537ac6307b33465f7a74c42437f880d5cc06aeab0dac9fbf99d73d646c1e869fe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1084-93-0x00007FF736560000-0x00007FF736602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/4200-103-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/4200-110-0x0000000005B10000-0x0000000005B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aecqgkb0.gab.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4556-133-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7689.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/1908-148-0x000000000288C000-0x000000000289F000-memory.dmp

memory/1908-157-0x0000000002800000-0x0000000002809000-memory.dmp

memory/2424-155-0x0000000000400000-0x00000000025A0000-memory.dmp

memory/4100-151-0x0000000004420000-0x000000000453B000-memory.dmp

memory/4556-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3180-156-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4100-146-0x0000000004117000-0x00000000041A8000-memory.dmp

memory/4968-145-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4968-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2880-141-0x0000000000FD0000-0x0000000001144000-memory.dmp

memory/4556-138-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7689.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2424-113-0x0000000002720000-0x0000000002729000-memory.dmp

memory/2424-109-0x00000000025E0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4200-94-0x0000000005090000-0x00000000050B2000-memory.dmp

memory/4200-160-0x0000000005C80000-0x0000000005FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74E2.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/2880-161-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4556-162-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-163-0x00000000045D0000-0x00000000049D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74E2.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/1328-164-0x0000000004AE0000-0x00000000053CB000-memory.dmp

memory/4200-173-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

memory/4596-193-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3984-200-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1328-207-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2760-208-0x0000000000250000-0x0000000000258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3984-213-0x0000000003010000-0x0000000003016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VD2B6.tmp\is-H45SQ.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/2424-203-0x0000000000400000-0x00000000025A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JOVGJ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3984-229-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4596-230-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4556-231-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2760-240-0x00007FFC78E00000-0x00007FFC798C1000-memory.dmp

memory/4200-255-0x00000000060E0000-0x00000000060FE000-memory.dmp

memory/3984-253-0x0000000005F00000-0x0000000006518000-memory.dmp

memory/2112-259-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6FA1.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3028-261-0x00000000041BA000-0x000000000424B000-memory.dmp

memory/3984-264-0x0000000005710000-0x0000000005722000-memory.dmp

memory/2112-263-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4580-266-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3984-273-0x0000000005770000-0x00000000057AC000-memory.dmp

memory/4580-278-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2760-279-0x000000001AF70000-0x000000001AF80000-memory.dmp

memory/4176-280-0x0000000000680000-0x0000000000686000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/2112-267-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-243-0x0000000000400000-0x0000000002985000-memory.dmp

memory/4200-262-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/3984-260-0x00000000059F0000-0x0000000005AFA000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Temp\is-JOVGJ.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-JOVGJ.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/5008-284-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4200-287-0x0000000002850000-0x0000000002860000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2880-202-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/3120-195-0x00000000032D0000-0x00000000032E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4176-188-0x0000000010000000-0x00000000101A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 bac44e7df567707aa1a02bf007f43b04
SHA1 8646773428d9cba97af2d3dfd98ae293d0f52532
SHA256 5f0248ca1349b83385cdc76f3fe4c0e9d90a0ca8faa11b6aac03dcd88110e54c
SHA512 ae842b2c8eb291a6233e68d60b9ec40b92c7724ed7e4a8db7f14cac8d743603f5472970766d5317652991e8ec2dfa0522311e5c2c376b5a964fe8515d36906f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 ee3fd4a5995f0ac352a956a6da8c6ca9
SHA1 aeb84746ba0137f7301f9babe8902aef7efb43a0
SHA256 82909266afb2a8883300995e213da6ab032be9499d2704f745f09ad6e4652035
SHA512 8ffee8d8f24d45b9fa800bafc109bfd0976a09a097110b6ce860a12fbcdb7e2b4a7842752a9af709e55e06524c595e77d47e3874242ff83d8f5d41dc7bd5bc8c

memory/4660-288-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4660-297-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5008-295-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4176-309-0x0000000002370000-0x0000000002478000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_2752_FVCGTSHUMCQMOOXP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/1328-332-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 af0d2f9b99c5aa849d100e1fcf41481f
SHA1 46b33c5cc7481b32b11c55e1c805d8eb6b15c792
SHA256 4d0232517ff056f53ad06c7a3145bf90438b571a457f909d4d72c40655f39b5b
SHA512 4a599d4eb7744d6e26a099574ee61090527b2a8070b67ce6883f8e73c975b717f510e6c038175c14608bf18efb4ac46a46bd4ad758c74e57f0be91fbf8b46aa5

memory/4176-339-0x0000000002480000-0x000000000256D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1f087d6c54f89711af0b69630e3cd98e
SHA1 e02496bde279852cd2ffa09451ea3a84e2833bd0
SHA256 dfb45a104b53f81aa4dbfea7ff5fd6d2b816eb9627b044d3371e2c8e2ba7bc5a
SHA512 f6e2fd3cd0dcf445fbc00164f129d2da060089bb8256c338752dc51e4f478fcebc747dd5467e02a96a948b8a2deebb5280246e5d336b9f04c4000ab12bce6c37

memory/4176-357-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/4176-358-0x0000000002480000-0x000000000256D000-memory.dmp

memory/4176-372-0x0000000002480000-0x000000000256D000-memory.dmp

\??\pipe\LOCAL\crashpad_3448_CCHJODHVJALXLJEO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf28bbc66e2c3c82cc6ca7d795735062
SHA1 6f47ee8837557395327a2dbec22d97147c1d80d9
SHA256 5dc9df499309e6bc68e37fc4169cf585fbee646152e9490de7a4da6ecc853b2d
SHA512 af0bea806c408dc4f7c7bda9377d500b1f1f87489f62890c470598e2d5184eb1fab38c87f24b0a5a499014cddd5554d45500b7680bac56cbccc94f205f835dc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 af0d2f9b99c5aa849d100e1fcf41481f
SHA1 46b33c5cc7481b32b11c55e1c805d8eb6b15c792
SHA256 4d0232517ff056f53ad06c7a3145bf90438b571a457f909d4d72c40655f39b5b
SHA512 4a599d4eb7744d6e26a099574ee61090527b2a8070b67ce6883f8e73c975b717f510e6c038175c14608bf18efb4ac46a46bd4ad758c74e57f0be91fbf8b46aa5

memory/1328-427-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f5b986e31488748e53bc77991a340cf3
SHA1 7cbe7dd25daa80efa6695d6a4f50b2936a5560d0
SHA256 cfd2bd5c76e88c0592cd14111e2fb24ef3265c699be9e68049d9ca04d56cfa1b
SHA512 d7e98c5e11a049c773635e33684c0a2192c77030365e46ae71bf533925b5d4d6cc31956ab5b4351cc468bd39dbb5df36dc443cc418e65da6c1bd6ec6c216dc85

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf28bbc66e2c3c82cc6ca7d795735062
SHA1 6f47ee8837557395327a2dbec22d97147c1d80d9
SHA256 5dc9df499309e6bc68e37fc4169cf585fbee646152e9490de7a4da6ecc853b2d
SHA512 af0bea806c408dc4f7c7bda9377d500b1f1f87489f62890c470598e2d5184eb1fab38c87f24b0a5a499014cddd5554d45500b7680bac56cbccc94f205f835dc8

memory/4660-470-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a28c5a21146adc762d091c866dbbf651
SHA1 8e31f4ea203b6b9bda0db03365836ff269f6c672
SHA256 b8a89fab00a4b047b4188b64c732f28be5cd6cb58539a0176fbe7aa377a938ca
SHA512 0ae62e213aa72998ac58ed28e6d03686b2227829a86549e2ac12e2d5fb80d69817c6c47fc8d8080f688f570611f78970911acbddf6495668f21652070a167ec0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5927d1.TMP

MD5 867cdadebb85826e196aefcf1cb0c609
SHA1 20b5dbf7debca3e74e80d1beb318c50a925ef143
SHA256 213e1f72432e9b4586b42034016cbae8f1938cc041a4dd99b0444872a6aadd07
SHA512 19c138d886ad2bbeae0e4dcee058ac5877227e5c1c36e1952d495fe6aedbcb39934e718817099c0add2ab317838ad5b09080646ea48cf6d708f835952011a8c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 69b52bca302a28a6fb246b111023da92
SHA1 48daa8eee8d6deff31440495c43dc9429224e72f
SHA256 5887e4c750c6c6abbc8ad4fb98c8835a538b96bb6d6a7abed1219efea5e9fa3a
SHA512 0527c7409dfa49cedea2e1cd4f292d4174c5fbeb4d7ece339f87f11a2a3718e082b89e0446af0c4317f86abd9560a9f16b01bc74ff3e9979e2e0f904fdf0b796

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 00af20d979f777033e3830b298848855
SHA1 c688cac43ebeb5977e906456bae2503db4f21287
SHA256 a4909d1e918c1c7b4ca9d809b9bdb403d768b6b1e879c2fbb6a003504803b7b2
SHA512 80f96f9250b38ade02578673441045ebb54286f9735da63929ddeca23fa15a5c87e7542928ace3f84f10b3b1454c0a8451665fd2eb4973b41107627e42ccee54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Roaming\bffcehb

MD5 2d911f49c957cc0281b3397a5baec56f
SHA1 561c0f8fc84e757d39cdf84534a0551989afada2
SHA256 55a81d333ac20da1e33993b3bcf7f9e44927776f4d50560fe358ef1d3cc9b413
SHA512 9dfaabbeb116d5b6c0521cc39c3fbdcf6c94f517da80314e59b670f1fd0a5fe537ac6307b33465f7a74c42437f880d5cc06aeab0dac9fbf99d73d646c1e869fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ac7fd2a4b4f15b30dcc3e51b66496c5e
SHA1 89838b96c640b45589abb3312692b867967c5964
SHA256 9793986763f9342af7533cf4357af84e76b0f8642b79003cf00677e160b0536f
SHA512 3b9e4f95398e1aad0dfc1166772f99e871adf73a03b5847a1c6835ffcc13b23f151b70c9dc55474bbff4418dabf81844e29cdf0fe942983179d865b115d5be6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e0c32170e0b9d1adcd719c99d4657a9b
SHA1 fe41f67ac662bb44eba6b649912242a590281c42
SHA256 4814019e9178b288e334328b0703109ff98194c243d79d99b6518e537579ade4
SHA512 be15082a268ad82986dcc998135c5430ab0c1f6b2e3957d5235693d6f88265fb63a7072d4a9ba5447728a08e57c4c6f1207d34630d2bb520d341ae0e84cf881a