Malware Analysis Report

2025-04-14 05:54

Sample ID 230926-sxcm2aag7v
Target 6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe
SHA256 6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02
Tags
djvu glupteba redline smokeloader vidar be957cbbdc7ee5ad3ee6c696b5eb3079 logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware stealer trojan upx microsoft phishing rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02

Threat Level: Known bad

The file 6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader vidar be957cbbdc7ee5ad3ee6c696b5eb3079 logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware stealer trojan upx microsoft phishing rootkit spyware

Glupteba payload

UAC bypass

Djvu Ransomware

Detected Djvu ransomware

Glupteba

RedLine

Windows security bypass

SmokeLoader

Vidar

Downloads MZ/PE file

Modifies Windows Firewall

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

UPX packed file

Modifies file permissions

Windows security modification

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Manipulates WinMonFS driver.

Checks whether UAC is enabled

Checks installed software on the system

Detected potential entity reuse from brand microsoft.

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Checks SCSI registry key(s)

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Modifies data under HKEY_USERS

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Uses Task Scheduler COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 15:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 15:29

Reported

2023-09-26 15:32

Platform

win7-20230831-en

Max time kernel

26s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\94F0.exe = "0" C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\94F0.exe = "0" C:\Users\Admin\AppData\Local\Temp\94F0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5d991db6-99f2-49ba-8f25-c5c7be12f7b9\\8F93.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\21E7.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\8F93.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 1256 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 1256 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 1256 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 2732 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Users\Admin\AppData\Local\Temp\8F93.exe
PID 1256 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\94F0.exe
PID 1256 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\94F0.exe
PID 1256 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\94F0.exe
PID 1256 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\94F0.exe
PID 2628 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Windows\SysWOW64\icacls.exe
PID 2628 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8F93.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe"

C:\Users\Admin\AppData\Local\Temp\8F93.exe

C:\Users\Admin\AppData\Local\Temp\8F93.exe

C:\Users\Admin\AppData\Local\Temp\8F93.exe

C:\Users\Admin\AppData\Local\Temp\8F93.exe

C:\Users\Admin\AppData\Local\Temp\94F0.exe

C:\Users\Admin\AppData\Local\Temp\94F0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5d991db6-99f2-49ba-8f25-c5c7be12f7b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\94F0.exe" -Force

C:\Users\Admin\AppData\Local\Temp\8F93.exe

"C:\Users\Admin\AppData\Local\Temp\8F93.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8F93.exe

"C:\Users\Admin\AppData\Local\Temp\8F93.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"

C:\Users\Admin\AppData\Local\Temp\BCFB.exe

C:\Users\Admin\AppData\Local\Temp\BCFB.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe

"C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe"

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

"C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe"

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

"C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe"

C:\Users\Admin\AppData\Local\Temp\1D15.exe

C:\Users\Admin\AppData\Local\Temp\1D15.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\20AE.dll

C:\Users\Admin\AppData\Local\Temp\21E7.exe

C:\Users\Admin\AppData\Local\Temp\21E7.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\20AE.dll

C:\Users\Admin\AppData\Local\Temp\1D15.exe

C:\Users\Admin\AppData\Local\Temp\1D15.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 92

C:\Users\Admin\AppData\Local\Temp\1D15.exe

"C:\Users\Admin\AppData\Local\Temp\1D15.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1D15.exe

"C:\Users\Admin\AppData\Local\Temp\1D15.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Pictures\syX2MbViNsYhTPc5GEohOCAx.exe

"C:\Users\Admin\Pictures\syX2MbViNsYhTPc5GEohOCAx.exe"

C:\Users\Admin\Pictures\vto6I0SvKLguxyD9ItjFZo7m.exe

"C:\Users\Admin\Pictures\vto6I0SvKLguxyD9ItjFZo7m.exe"

C:\Users\Admin\Pictures\TZAyl4DYYdJHYuKb5aS5mAFX.exe

"C:\Users\Admin\Pictures\TZAyl4DYYdJHYuKb5aS5mAFX.exe"

C:\Users\Admin\Pictures\ivuEyl1fnOVfL0482n5WWAuW.exe

"C:\Users\Admin\Pictures\ivuEyl1fnOVfL0482n5WWAuW.exe"

C:\Users\Admin\Pictures\TZAyl4DYYdJHYuKb5aS5mAFX.exe

"C:\Users\Admin\Pictures\TZAyl4DYYdJHYuKb5aS5mAFX.exe"

C:\Users\Admin\Pictures\F6hDI4u7rQagPjUbiUuJljbu.exe

"C:\Users\Admin\Pictures\F6hDI4u7rQagPjUbiUuJljbu.exe"

C:\Users\Admin\Pictures\3a5G9fyOyniU0KtvzMCw5ob4.exe

"C:\Users\Admin\Pictures\3a5G9fyOyniU0KtvzMCw5ob4.exe"

C:\Users\Admin\Pictures\n1vPOyUmIhrOx5TR23tGd7sX.exe

"C:\Users\Admin\Pictures\n1vPOyUmIhrOx5TR23tGd7sX.exe" /s

C:\Users\Admin\Pictures\2O8MmnZlT025ljzIEsRJqEa0.exe

"C:\Users\Admin\Pictures\2O8MmnZlT025ljzIEsRJqEa0.exe"

C:\Users\Admin\AppData\Local\Temp\is-FSDVH.tmp\is-NAN64.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FSDVH.tmp\is-NAN64.tmp" /SL4 $120122 "C:\Users\Admin\Pictures\3a5G9fyOyniU0KtvzMCw5ob4.exe" 2490977 52224

C:\Users\Admin\Pictures\dcLs99IJoVUJCHcDHukJvyDx.exe

"C:\Users\Admin\Pictures\dcLs99IJoVUJCHcDHukJvyDx.exe"

C:\Users\Admin\Pictures\mCnYXFEYzGl4duimAwfgTsR9.exe

"C:\Users\Admin\Pictures\mCnYXFEYzGl4duimAwfgTsR9.exe" --silent --allusers=0

C:\Users\Admin\AppData\Local\Temp\7zS671C.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS71F5.tmp\Install.exe

.\Install.exe /jyafdidIl "385118" /S

C:\Program Files (x86)\OSHMount\OSHMount.exe

"C:\Program Files (x86)\OSHMount\OSHMount.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 25

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 25

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build3.exe

"C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build3.exe"

C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build2.exe

"C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build2.exe"

C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build2.exe

"C:\Users\Admin\AppData\Local\66d9439c-6bed-4c1f-9fbf-42d4e7cd4b80\build2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4898513712.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CEAD9CCC-DA4C-4A38-9659-2F29577ED1D5} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "ivuEyl1fnOVfL0482n5WWAuW.exe" /f & erase "C:\Users\Admin\Pictures\ivuEyl1fnOVfL0482n5WWAuW.exe" & exit

C:\Windows\System32\sc.exe

sc stop UsoSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
KR 211.168.53.110:80 zexeq.com tcp
KR 175.119.10.231:80 colisumy.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
KR 211.168.53.110:80 zexeq.com tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.170:80 apps.identrust.com tcp
US 172.67.34.170:443 pastebin.com tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
NL 23.222.49.98:443 steamcommunity.com tcp
US 8.8.8.8:53 flyawayaero.net udp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 ji.alie3ksgbb.com udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 188.114.97.0:80 ji.alie3ksgbb.com tcp
US 8.8.8.8:53 jetpackdelivery.net udp
NL 13.227.219.122:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 potatogoose.com udp
US 188.114.97.0:443 jetpackdelivery.net tcp
US 172.67.180.173:443 potatogoose.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 hbn42414.beget.tech udp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 8.8.8.8:53 new.drivelikea.com udp
US 8.8.8.8:53 galandskiyher3.com udp
US 188.114.97.0:443 new.drivelikea.com tcp
NL 194.169.175.127:80 galandskiyher3.com tcp
US 85.217.144.143:80 85.217.144.143 tcp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 shihabfabrics.com udp
US 8.8.8.8:53 iplogger.com udp
NL 185.26.182.111:80 net.geo.opera.com tcp
DE 148.251.234.93:443 iplogger.com tcp
SG 111.221.45.75:443 shihabfabrics.com tcp
US 8.8.8.8:53 yip.su udp
NL 108.156.60.18:80 int.down.360safe.com tcp
DE 148.251.234.93:443 yip.su tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.76.174.118:80 tr.p.360safe.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
RU 5.42.64.10:80 5.42.64.10 tcp
DE 116.202.182.4:80 116.202.182.4 tcp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 s.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
PL 146.59.10.173:45035 tcp
KR 175.119.10.231:80 colisumy.com tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
KR 211.168.53.110:80 zexeq.com tcp
CN 220.181.141.113:80 tcp
RU 5.42.64.10:80 5.42.64.10 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 script.google.com udp
DE 172.217.23.206:80 script.google.com tcp
US 8.8.8.8:53 iup.360safe.com udp
DE 172.217.23.206:443 script.google.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 script.googleusercontent.com udp
NL 142.251.36.1:443 script.googleusercontent.com tcp

Files

memory/2236-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2236-2-0x0000000000400000-0x000000000259F000-memory.dmp

memory/2236-3-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1256-4-0x0000000002B30000-0x0000000002B46000-memory.dmp

memory/2236-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/1256-11-0x000007FEF60B0000-0x000007FEF61F3000-memory.dmp

memory/1256-12-0x000007FF38F70000-0x000007FF38F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2732-19-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2732-20-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2732-21-0x0000000003F00000-0x000000000401B000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2628-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2732-29-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2628-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2628-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\94F0.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\94F0.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/2684-38-0x0000000000AB0000-0x0000000000B42000-memory.dmp

memory/2684-39-0x00000000749A0000-0x000000007508E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab99E1.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

memory/2684-58-0x0000000004C50000-0x0000000004C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9BC8.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2684-73-0x0000000000850000-0x000000000088A000-memory.dmp

C:\Users\Admin\AppData\Local\5d991db6-99f2-49ba-8f25-c5c7be12f7b9\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2684-75-0x00000000003A0000-0x00000000003BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2628-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/1608-81-0x0000000000290000-0x0000000000322000-memory.dmp

memory/1608-82-0x0000000000290000-0x0000000000322000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\8F93.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/2164-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2164-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 f4f4bf63df3b3206e46c4d7f462ed956
SHA1 e9f6f4463c5f9d88dbd65824c9e067bb351b2c81
SHA256 a631d36882981d35c7368f7744030e8dd58f5d1099ff3ba20a5623d9d5aa2095
SHA512 6bf1955c025b969bab0b1420b62cf0904ba354faea8f816659008721a078a33fb91d190609bc150c039c45b652b1ff3e915d29a1878fa7179f51af5f4248d00d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 914cb5ccc9416295adb2176431579944
SHA1 f0d012ed930cb17ac4d50c5676b28a5a147fc758
SHA256 f1b444d177e3a8c49d9d4fbed103b09c80598053648f974d8d2a227189d3e6ad
SHA512 3383ba272cf98a725f80bba5460182a781635e8e2751605194569c0720f9e5b1713b334ac396ea71aca1e296d668fd4b492d3b9e2e9fa887a0b464c838d0369d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50a43ad2cb0c45100316b608cbace605
SHA1 0740a722f6fd8dc6508f38a397d8b2ce3adf896d
SHA256 cbd6323ae30b4facd6d89facf40fd4c8bd424d4f827e66c8c42a3610e7652672
SHA512 84368535dd395810d02cba802c4a16aecae3d44feea933b3851373e7860ab1105855d600428d8946bbafd70cd58996df4f741551c7cbd579f9f2008fdbf30d26

memory/1568-105-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1568-107-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1568-114-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2608-113-0x0000000070350000-0x00000000708FB000-memory.dmp

memory/2164-112-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCFB.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2608-121-0x0000000070350000-0x00000000708FB000-memory.dmp

memory/912-120-0x00000000009A0000-0x0000000001034000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCFB.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/2164-117-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2684-111-0x00000000749A0000-0x000000007508E000-memory.dmp

memory/2164-108-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2608-139-0x00000000026F0000-0x0000000002730000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2608-147-0x00000000026F0000-0x0000000002730000-memory.dmp

memory/2372-149-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/2088-151-0x00000000FF960000-0x00000000FFA02000-memory.dmp

memory/1568-155-0x00000000749A0000-0x000000007508E000-memory.dmp

memory/2372-154-0x0000000002712000-0x0000000002725000-memory.dmp

memory/1568-153-0x0000000002310000-0x0000000002350000-memory.dmp

memory/2004-150-0x0000000000400000-0x0000000000409000-memory.dmp

memory/912-156-0x00000000749A0000-0x000000007508E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2004-165-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2608-163-0x00000000026F0000-0x0000000002730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1328-169-0x0000000004300000-0x00000000046F8000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/2164-172-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1328-173-0x0000000004300000-0x00000000046F8000-memory.dmp

memory/2004-181-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1256-180-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

memory/1328-176-0x0000000004700000-0x0000000004FEB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2164-210-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/2164-175-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2164-214-0x0000000000400000-0x0000000000537000-memory.dmp

memory/912-218-0x00000000749A0000-0x000000007508E000-memory.dmp

\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/2076-223-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1524-226-0x0000000002732000-0x0000000002761000-memory.dmp

C:\Users\Admin\AppData\Local\2926f3cc-ee05-420f-aff2-6dac5284df0e\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/1328-221-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2164-233-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1524-232-0x0000000000280000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/992-217-0x0000000000D80000-0x0000000000EF4000-memory.dmp

memory/2076-235-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/992-237-0x00000000749A0000-0x000000007508E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2764-248-0x00000000002C0000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\20AE.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

\Users\Admin\AppData\Local\Temp\20AE.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

C:\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2848-268-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/3000-280-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-281-0x0000000070350000-0x00000000708FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/2164-293-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3000-294-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2764-295-0x0000000003FA0000-0x00000000040BB000-memory.dmp

memory/1328-296-0x0000000000400000-0x0000000002985000-memory.dmp

memory/2764-284-0x00000000002C0000-0x0000000000351000-memory.dmp

memory/2076-320-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5f32728253338c8a12d00f84de32ae4
SHA1 80fd004326ef1a28607377f041a7d31d43d4f89d
SHA256 d458f45b4ff8aed28452f8358729a311361b9b408b32715a573a99dabb175d1c
SHA512 31c42fd34573cd50c8d05924dca42bbac7834e194a8d24747bbc5565969ecf457120ce0ce5a56e5e84cc70d573d9f6d218defbecceea42fb88bd68e1fbbf6558

memory/2848-321-0x0000000000140000-0x0000000000146000-memory.dmp

memory/3000-331-0x0000000000400000-0x0000000000537000-memory.dmp

memory/580-358-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40223b974c91b0743e856ed8b80e3ccf
SHA1 285b90a93e7eadb9ec8a4facac649381049eab89
SHA256 1432a597e9e1a896e048cdaf7493fb35f22999a1fdcd927eafa334da673f3c84
SHA512 d2f6722bebf9a407230e7ea46f6b9844a913786f18b9aef8cee82284d2b3272193c03ca2ce88d7b39837a89214950a3c6b02ae37ef61ff7d5ca27d160da40956

memory/580-359-0x0000000000400000-0x0000000000430000-memory.dmp

memory/580-362-0x0000000000400000-0x0000000000430000-memory.dmp

memory/580-364-0x0000000000400000-0x0000000000430000-memory.dmp

memory/580-363-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40223b974c91b0743e856ed8b80e3ccf
SHA1 285b90a93e7eadb9ec8a4facac649381049eab89
SHA256 1432a597e9e1a896e048cdaf7493fb35f22999a1fdcd927eafa334da673f3c84
SHA512 d2f6722bebf9a407230e7ea46f6b9844a913786f18b9aef8cee82284d2b3272193c03ca2ce88d7b39837a89214950a3c6b02ae37ef61ff7d5ca27d160da40956

memory/580-360-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

memory/580-403-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078f98c18bc507fc3093e7f194ed5b90
SHA1 b88bf7adaa6a07b1785c42e7d99aaac0dc41abb6
SHA256 ff7d04b6cb0edfe67056d51eaf05fede3d21ddc7a6f93357f8a1d43864a72d2e
SHA512 e875d36aa663142a520f31e773cbab581e9dd53f54eaf70d6297113199690dc97d5662756c6d1e942a6a094a48673caea6356b2554a8f40ebf1701318149a7a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078f98c18bc507fc3093e7f194ed5b90
SHA1 b88bf7adaa6a07b1785c42e7d99aaac0dc41abb6
SHA256 ff7d04b6cb0edfe67056d51eaf05fede3d21ddc7a6f93357f8a1d43864a72d2e
SHA512 e875d36aa663142a520f31e773cbab581e9dd53f54eaf70d6297113199690dc97d5662756c6d1e942a6a094a48673caea6356b2554a8f40ebf1701318149a7a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 078f98c18bc507fc3093e7f194ed5b90
SHA1 b88bf7adaa6a07b1785c42e7d99aaac0dc41abb6
SHA256 ff7d04b6cb0edfe67056d51eaf05fede3d21ddc7a6f93357f8a1d43864a72d2e
SHA512 e875d36aa663142a520f31e773cbab581e9dd53f54eaf70d6297113199690dc97d5662756c6d1e942a6a094a48673caea6356b2554a8f40ebf1701318149a7a0

memory/580-426-0x00000000749A0000-0x000000007508E000-memory.dmp

memory/580-425-0x0000000000320000-0x0000000000326000-memory.dmp

\Users\Admin\AppData\Local\Temp\21E7.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3000-465-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Pictures\vto6I0SvKLguxyD9ItjFZo7m.exe

MD5 269957dbfbcf36be4001d677fae92f9e
SHA1 716f986bd94932c79b033d17764aa3b47baa4fb1
SHA256 cdd49cb33511e8f78c0f61246d1dfbe5a8476885d7645b2d2de1c5c00ae29af0
SHA512 f2ac27603090168f87dfa5455c7d6f5198cafe16f5961c87860e7aeb0802e933d43fab855eb243ee203b817e0e8c016c1272c5aae98d23bded8f6917e37990f3

memory/2876-499-0x0000000000310000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e77f146044cfa3a3b432fea4836a48fa
SHA1 9b4f490898da4149f33d68a5ef27a58fee36d235
SHA256 bd798199fb3c37f2c52c95d6f143a53863860ccebc21bae8d192f6319e5e1c26
SHA512 5a3c4a81c8f1eb57c735396e505a6a8963813e0a2c8a9140d15a9fa1e1b94b362fe7fec14a14d1909d8bce53001e277a5f2d9ccccffeb1504c8e9fe0d5b14ec5

C:\Users\Admin\AppData\Local\Temp\1D15.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\Pictures\syX2MbViNsYhTPc5GEohOCAx.exe

MD5 f285d63d18aa4444d4c74b6b59944ecf
SHA1 ee1322ce0afb70d6c0cd2390c3877e666cb60c81
SHA256 a253c68dd1fdd9e2e64c458dffd19676e390fa3b39cf3c9b5da6b2087237b8fe
SHA512 ce0ed95b1f1b30a95388fe18013b1172e687d3c2ec5f9cc5d1d064d85657e4ef8f6b6ef6007eab3b9f6798a3888d7c5d4abf467e917aea68ee7238bdaa4265e1

C:\Users\Admin\Pictures\TZAyl4DYYdJHYuKb5aS5mAFX.exe

MD5 8be63ddf716b2db35b278a29479e5e68
SHA1 cdceddd8406c9c144bc61b6abee66dc65761dd36
SHA256 d78e1e3f405511b28762f3269a8c13145c2e80ba5000e89a632e24dfa302271f
SHA512 323f5afc2e09992437afd636111b2fd601aebd9b8973c78d7f274ca7ee6c77b90089d203f2d03990b519950ef3a84b4a8f66a3bdee3bae6cd7ad37ed4db06e45

C:\Users\Admin\Pictures\ivuEyl1fnOVfL0482n5WWAuW.exe

MD5 e19c11b7ac56a713edc75db9daaadd69
SHA1 02889be25973c5fa84106d80e774d612fa22070b
SHA256 7cbe475397f3905f8dd59c5890bad85dcf65d1617e8249080d9066808827d1ec
SHA512 bcf99ecf225f99ac96e884a9149ff00a96f6492e1a68c5ecdd2c4bbcc8dbd774334304d6ac8ac1eaec13d3c2b8c3dd01fa754dc15f004af91397609c0b221785

C:\Users\Admin\Pictures\n1vPOyUmIhrOx5TR23tGd7sX.exe

MD5 aa3602359bb93695da27345d82a95c77
SHA1 9cb550458f95d631fef3a89144fc9283d6c9f75a
SHA256 e9225898ffe63c67058ea7e7eb5e0dc2a9ce286e83624bd85604142a07619e7d
SHA512 adf43781d3f1fec56bc9cdcd1d4a8ddf1c4321206b16f70968b6ffccb59c943aed77c1192bf701ccc1ab2ce0f29b77eb76a33eba47d129a9248b61476db78a36

C:\Users\Admin\Pictures\3a5G9fyOyniU0KtvzMCw5ob4.exe

MD5 4454bb6cd3813b451bfab161ae5a6cf2
SHA1 ff446de6d42030c2e6c2044762fa05deee95b897
SHA256 d2f9b33d5ad40db7fd3e4994d9cf5b1bbf754071a6d431e263a92d696eb1a8d9
SHA512 29148abd57e6d70b55ef913976204cfb0d0c7dfd5c15c0392120eb668654224a634465fd344ca8437d2e42925bf126fd6001849c7a06caf537e676511b14a565

memory/2460-622-0x00000000002F2000-0x0000000000305000-memory.dmp

memory/2460-623-0x00000000001B0000-0x00000000001B9000-memory.dmp

C:\Users\Admin\Pictures\2O8MmnZlT025ljzIEsRJqEa0.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/1004-629-0x0000000000BB0000-0x0000000000ECC000-memory.dmp

C:\Users\Admin\Pictures\dcLs99IJoVUJCHcDHukJvyDx.exe

MD5 c582d0c4448b428dddb04a6a21f440ff
SHA1 8ba225fe248601a8192c0e0a51bb78c15f825656
SHA256 f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148
SHA512 0ae54b79ef4e54f5314078710fa2189935c0334b6cd8383ed68541174ab45f5488c5a4d3be94fbbe30a8fc3b6481ea0e56de5956f0ac9e874c2596c92ad47378

C:\Users\Admin\Pictures\mCnYXFEYzGl4duimAwfgTsR9.exe

MD5 31c83ea9c4d02405cb5b66d79c9961ed
SHA1 f584a33e67259d6652840eebe78c1c150be6c449
SHA256 f998f0570596a03d5ae27847555b30603f33f3704d22ee53b0815bceab757f53
SHA512 b96c1005c29a76b5c4d9721b3fb5dfc1d342501e54b0eb529393a3f53f96d1823ce2bf6da7869f8f757c309a69399283f293f1d9e41c9274cbdabdee1849ff36

memory/2548-742-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2564-860-0x0000000002420000-0x0000000002428000-memory.dmp

memory/2564-859-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-26 15:29

Reported

2023-09-26 15:32

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\F202.exe N/A

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\F202.exe = "0" C:\Users\Admin\AppData\Local\Temp\F202.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\32A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BB6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1927.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10C8.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vjuvrac N/A
N/A N/A C:\Users\Admin\AppData\Local\7de53f91-f0e9-4032-b4f0-4065f6cea1cb\EF13.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\F202.exe = "0" C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\F202.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7de53f91-f0e9-4032-b4f0-4065f6cea1cb\\EF13.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\F202.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-7O7IG.tmp C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-46L5R.tmp C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-LEUN7.tmp C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-T95U7.tmp C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BB6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BB6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BB6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F202.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3200 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3200 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3572 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3200 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F202.exe
PID 3200 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F202.exe
PID 3200 wrote to memory of 2900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F202.exe
PID 3444 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Windows\SysWOW64\icacls.exe
PID 3444 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Windows\SysWOW64\icacls.exe
PID 3444 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Windows\SysWOW64\icacls.exe
PID 2900 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2900 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2900 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2900 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2900 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2900 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
PID 2900 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\System32\CompPkgSrv.exe
PID 2900 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\System32\CompPkgSrv.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 2900 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\F202.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
PID 3200 wrote to memory of 4948 N/A N/A C:\Users\Admin\AppData\Local\Temp\32A.exe
PID 3200 wrote to memory of 4948 N/A N/A C:\Users\Admin\AppData\Local\Temp\32A.exe
PID 3200 wrote to memory of 4948 N/A N/A C:\Users\Admin\AppData\Local\Temp\32A.exe
PID 4948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 4948 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 4948 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4948 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 4948 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3200 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB6.exe
PID 3200 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB6.exe
PID 3200 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB6.exe
PID 4948 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4948 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4948 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4948 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\kos1.exe
PID 4948 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\kos1.exe
PID 4948 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\32A.exe C:\Users\Admin\AppData\Local\Temp\kos1.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2696 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3200 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\10C8.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\F202.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6206829f1443cd8b2e266237bfce6c6e584233a0ae064e2d7732bd3573931b02_JC.exe"

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\F202.exe

C:\Users\Admin\AppData\Local\Temp\F202.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7de53f91-f0e9-4032-b4f0-4065f6cea1cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F202.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"

C:\Users\Admin\AppData\Local\Temp\32A.exe

C:\Users\Admin\AppData\Local\Temp\32A.exe

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\BB6.exe

C:\Users\Admin\AppData\Local\Temp\BB6.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\10C8.exe

C:\Users\Admin\AppData\Local\Temp\10C8.exe

C:\Users\Admin\AppData\Local\Temp\10C8.exe

C:\Users\Admin\AppData\Local\Temp\10C8.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\15DA.dll

C:\Users\Admin\AppData\Local\Temp\1927.exe

C:\Users\Admin\AppData\Local\Temp\1927.exe

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\15DA.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp" /SL4 $90228 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4832 -ip 4832

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\10C8.exe

"C:\Users\Admin\AppData\Local\Temp\10C8.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe45f946f8,0x7ffe45f94708,0x7ffe45f94718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_regiis.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Users\Admin\AppData\Local\Temp\10C8.exe

"C:\Users\Admin\AppData\Local\Temp\10C8.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 252

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Users\Admin\AppData\Local\Temp\EF13.exe

"C:\Users\Admin\AppData\Local\Temp\EF13.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\EF13.exe

"C:\Users\Admin\AppData\Local\Temp\EF13.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5552 -ip 5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe45f946f8,0x7ffe45f94708,0x7ffe45f94718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_regiis.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

"C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe"

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

"C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe"

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe

"C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,564460479933726690,12201108115140555815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3428 -ip 3428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 1932

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Local\7de53f91-f0e9-4032-b4f0-4065f6cea1cb\EF13.exe

C:\Users\Admin\AppData\Local\7de53f91-f0e9-4032-b4f0-4065f6cea1cb\EF13.exe --Task

C:\Users\Admin\AppData\Roaming\vjuvrac

C:\Users\Admin\AppData\Roaming\vjuvrac

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
BG 193.42.32.101:80 193.42.32.101 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
MX 201.124.210.95:80 zexeq.com tcp
AR 190.224.203.37:80 colisumy.com tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 95.210.124.201.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
MX 201.124.210.95:80 zexeq.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
IE 52.215.85.23:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.85.215.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
N/A 224.0.0.251:5353 udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
DE 5.75.215.131:1333 5.75.215.131 tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 131.215.75.5.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 a82fbc45-1046-4a88-a562-c49e5a2d4353.uuid.cdneurops.health udp
US 8.8.8.8:53 gudintas.at udp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 9.254.120.175.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server5.cdneurops.health udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
KR 175.120.254.9:80 gudintas.at tcp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
US 8.8.8.8:53 109.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp

Files

memory/748-1-0x0000000002610000-0x0000000002710000-memory.dmp

memory/748-2-0x00000000042E0000-0x00000000042E9000-memory.dmp

memory/748-3-0x0000000000400000-0x000000000259F000-memory.dmp

memory/3200-4-0x00000000012D0000-0x00000000012E6000-memory.dmp

memory/748-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/748-8-0x00000000042E0000-0x00000000042E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/3572-17-0x00000000041C0000-0x0000000004260000-memory.dmp

memory/3572-18-0x0000000004410000-0x000000000452B000-memory.dmp

memory/3444-19-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/3444-21-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F202.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/3444-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F202.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/3444-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2900-29-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/2900-28-0x00000000003E0000-0x0000000000472000-memory.dmp

memory/2900-30-0x0000000004FF0000-0x000000000508C000-memory.dmp

memory/2900-31-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/2900-32-0x00000000054D0000-0x0000000005562000-memory.dmp

memory/2900-39-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

memory/2900-41-0x0000000004F20000-0x0000000004F5A000-memory.dmp

memory/2900-42-0x0000000004F80000-0x0000000004F9A000-memory.dmp

memory/1532-43-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1532-45-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/3092-44-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1532-46-0x0000000002AE0000-0x0000000002B16000-memory.dmp

memory/2900-49-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1532-50-0x00000000055A0000-0x0000000005BC8000-memory.dmp

memory/1532-48-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/1532-51-0x0000000005430000-0x0000000005452000-memory.dmp

memory/1532-52-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/1532-53-0x0000000005DE0000-0x0000000005E46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfo3prw1.x2q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1532-63-0x0000000005E50000-0x00000000061A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32A.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\32A.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/4948-69-0x0000000000900000-0x0000000000F94000-memory.dmp

memory/4948-68-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1532-70-0x0000000006420000-0x000000000643E000-memory.dmp

memory/1532-71-0x0000000006460000-0x00000000064AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2144-80-0x00007FF74C900000-0x00007FF74C9A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\BB6.exe

MD5 84557503fe54ca0f6810081fcbdcf416
SHA1 8a68b3cd52743a91b13998c201da6d5d9a5eab6a
SHA256 f303ca4118401934086cbf5a6ca3c3b962e706c17240f88f77bdb11db3440bad
SHA512 f94866652ba4fef2c60d54f651b5c05c4846698aa18628c4472fccda97d8b4f6d0917c3a3097199217704fea06c0bbd15fb0f12792f0822cfdfdd3c7c65fac3d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3444-120-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2696-124-0x0000000002780000-0x0000000002880000-memory.dmp

memory/1852-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2696-127-0x00000000026B0000-0x00000000026B9000-memory.dmp

memory/3744-132-0x00000000025A0000-0x00000000026A0000-memory.dmp

memory/3744-135-0x00000000040A0000-0x00000000040A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\10C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1852-129-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4948-130-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1900-139-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1900-142-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1532-144-0x000000006FA20000-0x000000006FA6C000-memory.dmp

memory/1532-154-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/2512-158-0x0000000004340000-0x000000000445B000-memory.dmp

memory/1532-160-0x0000000007630000-0x00000000076D3000-memory.dmp

memory/1468-169-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3892-187-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\1927.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\1927.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\7de53f91-f0e9-4032-b4f0-4065f6cea1cb\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\15DA.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3120-173-0x0000000004A50000-0x000000000533B000-memory.dmp

memory/1532-159-0x000000007F370000-0x000000007F380000-memory.dmp

memory/3120-157-0x0000000004640000-0x0000000004A43000-memory.dmp

memory/2512-156-0x00000000028BE000-0x000000000294F000-memory.dmp

memory/1900-155-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1532-143-0x00000000075F0000-0x0000000007622000-memory.dmp

memory/3744-141-0x0000000000400000-0x000000000259F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1468-125-0x00000000009D0000-0x0000000000B44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1532-199-0x0000000007D90000-0x000000000840A000-memory.dmp

memory/3696-204-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1900-212-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-218-0x0000000010000000-0x00000000101A4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 dc96e596dc52d60108a49f0b3feaf7e9
SHA1 1258c4e3bac87a737d2eb500062bf54dcead7aec
SHA256 d3b740dda0d17e3a82650af3dabcd3ac8e685e92b0c433bbf07f8f10091e4aa4
SHA512 e246cfef1d02fb46a231d49de7dac1570aa73fde898cfae97a124a994dafa0d3c71ec071c78bc013a0d451f7712d379f130adf29c559b99bbd7bf96dc053ce6e

C:\Users\Admin\AppData\Local\Temp\is-SI0M7.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1220-239-0x00007FFE49FA0000-0x00007FFE4AA61000-memory.dmp

memory/3744-217-0x0000000000400000-0x000000000259F000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4648-254-0x00000000010E0000-0x00000000010E6000-memory.dmp

memory/3944-265-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Temp\10C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1900-271-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3944-259-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3696-258-0x0000000005450000-0x000000000555A000-memory.dmp

memory/3892-257-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1220-256-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

memory/3696-255-0x0000000005940000-0x0000000005F58000-memory.dmp

memory/3696-251-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/1532-242-0x0000000005150000-0x000000000515A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SI0M7.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-SI0M7.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 2a57df697568b2c223b3b61afa328b07
SHA1 13e48b07cc7348126513f00efb1a6f46e166da4a
SHA256 f3c6616c8fb154c0ebebfc4cec949d04eafa654813be584629f2304f53b3e1c9
SHA512 995a8c801e0620d4f9ca6983082025a7ef2c2415da2cb5f9c1ef30663013671419883431901d895f623d14c83613b5ab6f87b98d8a78f8dd6c3bcffe18de4ae2

memory/3696-210-0x00000000051A0000-0x00000000051A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A9G14.tmp\is-JFV4R.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/3200-207-0x0000000007830000-0x0000000007846000-memory.dmp

memory/1532-203-0x0000000007750000-0x000000000776A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15DA.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/1468-202-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/5272-283-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5272-286-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3120-279-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10C8.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3444-295-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/3120-200-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/5552-311-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5552-314-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1220-201-0x0000000000440000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BB6.exe

MD5 84557503fe54ca0f6810081fcbdcf416
SHA1 8a68b3cd52743a91b13998c201da6d5d9a5eab6a
SHA256 f303ca4118401934086cbf5a6ca3c3b962e706c17240f88f77bdb11db3440bad
SHA512 f94866652ba4fef2c60d54f651b5c05c4846698aa18628c4472fccda97d8b4f6d0917c3a3097199217704fea06c0bbd15fb0f12792f0822cfdfdd3c7c65fac3d

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/1532-90-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/5552-316-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/5272-321-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-323-0x0000000002CF0000-0x0000000002DF8000-memory.dmp

memory/5272-324-0x0000000000400000-0x0000000000537000-memory.dmp

\??\pipe\LOCAL\crashpad_5160_IBAJUDPNGBXGVNII

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

memory/5272-350-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b4b49d3f46716248877e858ea5839351
SHA1 c7ad8ca8fef51f3fb2de9f489d316b6a4cba256e
SHA256 94804b8be53e61363317a7f58b3bc856c83706521cd8db0271bb1e16ae4ef844
SHA512 70e9e152590bff995afade24cb13cea98e4bc586304536cfc3c58ed9f0d40ed9dbd535be978c31f0368974e355b07b7854b9aa9742933a1f7311e9df22a9068c

memory/4648-372-0x0000000002E00000-0x0000000002EED000-memory.dmp

memory/5272-360-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5272-352-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4288-353-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4648-376-0x0000000002E00000-0x0000000002EED000-memory.dmp

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/4648-409-0x0000000002E00000-0x0000000002EED000-memory.dmp

memory/5272-429-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/3120-411-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build3.exe

MD5 9ead10c08e72ae41921191f8db39bc16
SHA1 abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA256 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512 aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

memory/3428-424-0x0000000000400000-0x0000000000465000-memory.dmp

memory/3428-417-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\0f3d748a-4009-4b43-8586-7c36130ededa\build2.exe

MD5 dcd1bd0f92fe24bf269f0e3ace8de280
SHA1 73c06bb4010b87a83e07bcaf3d181e68d24da11f
SHA256 fc0757507960b91ab61afe79de7e316fabde48f983a8a497a709c19c99012456
SHA512 2846a18a6687b26a4ec7267b16f139a10c1ace288f5bc893a5e600f07dc9714517f2610f33518afda41707a31a68cf0cbcd4b838568bba6f1833edc7300d6ceb

memory/3428-413-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c3d39616fbf5ecfb7d6d546d526ef1fe
SHA1 d9743ba8bc7ef3294e6089de041436efc96adce6
SHA256 5136ff13d4f8b3e9751d22b8c915218f702da6940c2761ade354ce881aa5dddc
SHA512 99094f5ce67f6a4e08c5a34b209cbe30f035f38ea3ad97c3f4f82336fd3b0bc29738951c53b376ecd7ce9629dd73d66fdb181d463c31302509453450ac750726

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c3d39616fbf5ecfb7d6d546d526ef1fe
SHA1 d9743ba8bc7ef3294e6089de041436efc96adce6
SHA256 5136ff13d4f8b3e9751d22b8c915218f702da6940c2761ade354ce881aa5dddc
SHA512 99094f5ce67f6a4e08c5a34b209cbe30f035f38ea3ad97c3f4f82336fd3b0bc29738951c53b376ecd7ce9629dd73d66fdb181d463c31302509453450ac750726

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b680cd91a1a151bafda908334035efdf
SHA1 0c343077b05478cdfc68676625e8ce1474f3bd64
SHA256 bf7d081c31c3758ac7239b783136a8318497c59bfdad3e9b497ddc5d1f7ca844
SHA512 e8f084a685a2c3665fa477a1264c32c2a154392d2aa5c50596623e0f2eb2b17d35f03f1a9be1ea17132e40422de016b68a92dea97ee2f7aa9f4a431e82a58209

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 22e53f17eed0724b8d6f9cbf749d252e
SHA1 e9b5a935f97c83eebcfae538d2f6de1f4eabbea9
SHA256 f11ad0ccd2328fc785d55b73fffeccfa75e411a95f604d74eb87ed801b683b55
SHA512 da10e1b88c37c12a4f371d59086cbe8289ea496a053a6ad092cc772b1324f5256fa46879d2005ddeeab0c8ea1e09ed1bb7f26e0d7a6b8c04a2dfafbc5d6c26a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 882c09a773bc0e727155eaa8e07dbf1c
SHA1 861a1d8d02f91b0f2f67395cc089d16aae113592
SHA256 c190c691e90a16d10ccd6570fa8f03e8b31e28474cb42c1b98cf11e681ed3058
SHA512 8885b351ab936aea6ca21e5a464140a8fd4477937404fe4a1a28c2ac00689e5a77a405648e454d73bec4c8980d2cf1bff7494fa73b2bc5f9d1360bc61533f8f4

C:\Users\Admin\AppData\Roaming\vjuvrac

MD5 84557503fe54ca0f6810081fcbdcf416
SHA1 8a68b3cd52743a91b13998c201da6d5d9a5eab6a
SHA256 f303ca4118401934086cbf5a6ca3c3b962e706c17240f88f77bdb11db3440bad
SHA512 f94866652ba4fef2c60d54f651b5c05c4846698aa18628c4472fccda97d8b4f6d0917c3a3097199217704fea06c0bbd15fb0f12792f0822cfdfdd3c7c65fac3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4db4e74929d508a0c62b5d5396224d60
SHA1 c10f046dfc66ead3ae822db0be7590e6a90d957b
SHA256 bb58b6b9363e0abd080e1db5831f73c5a46c902b5d57759dd7838da221ff61d6
SHA512 05be9e16eff9cd89dd8420a6276f4e7dd3c94b99e8103bdfeea94fb19b7e086992f340454b68029ea6266ee02e81a43a424483ef362d10b9760afa98b09bab0f