Malware Analysis Report

2025-04-14 05:29

Sample ID 230926-tza3nabe41
Target 1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141
SHA256 1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141
Tags
djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141

Threat Level: Known bad

The file 1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141 was found to be: Known bad.

Malicious Activity Summary

djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor discovery dropper evasion infostealer loader persistence ransomware rootkit spyware stealer trojan

Windows security bypass

UAC bypass

SmokeLoader

Djvu Ransomware

Detected Djvu ransomware

RedLine

Glupteba

Glupteba payload

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

System policy modification

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-26 16:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-26 16:29

Reported

2023-09-26 16:31

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\C17C.exe = "0" C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CF77.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DFA8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D98B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\C17C.exe = "0" C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cac3a6c1-89c5-4512-87e3-0ab2b0f08647\\BF49.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BF49.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-QT5N9.tmp C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GONAJ.tmp C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-SS6CC.tmp C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-VNCRG.tmp C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D564.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D564.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D564.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 776 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 776 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 776 wrote to memory of 4728 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 4728 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 776 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe
PID 776 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe
PID 776 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe
PID 3416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Windows\SysWOW64\icacls.exe
PID 3416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Windows\SysWOW64\icacls.exe
PID 3416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Windows\SysWOW64\icacls.exe
PID 3416 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3416 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3416 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 776 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe
PID 776 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe
PID 776 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 3596 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\BF49.exe C:\Users\Admin\AppData\Local\Temp\BF49.exe
PID 1168 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 1168 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2992 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 2992 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 1168 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\C17C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
PID 2992 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2992 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 2992 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 776 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D564.exe
PID 776 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D564.exe
PID 776 wrote to memory of 1992 N/A N/A C:\Users\Admin\AppData\Local\Temp\D564.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2992 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2992 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\D98B.exe
PID 2992 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\D98B.exe
PID 2992 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\CF77.exe C:\Users\Admin\AppData\Local\Temp\D98B.exe
PID 3568 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
PID 3568 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\C17C.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe

"C:\Users\Admin\AppData\Local\Temp\1ae60da15181e67f12dc63aa6480723836b39b00e2d71b40eab23473a1f8f141.exe"

C:\Users\Admin\AppData\Local\Temp\BF49.exe

C:\Users\Admin\AppData\Local\Temp\BF49.exe

C:\Users\Admin\AppData\Local\Temp\BF49.exe

C:\Users\Admin\AppData\Local\Temp\BF49.exe

C:\Users\Admin\AppData\Local\Temp\C17C.exe

C:\Users\Admin\AppData\Local\Temp\C17C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\cac3a6c1-89c5-4512-87e3-0ab2b0f08647" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BF49.exe

"C:\Users\Admin\AppData\Local\Temp\BF49.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CF77.exe

C:\Users\Admin\AppData\Local\Temp\CF77.exe

C:\Users\Admin\AppData\Local\Temp\BF49.exe

"C:\Users\Admin\AppData\Local\Temp\BF49.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\C17C.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1348 -ip 1348

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\D564.exe

C:\Users\Admin\AppData\Local\Temp\D564.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\D98B.exe

C:\Users\Admin\AppData\Local\Temp\D98B.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DD45.dll

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp" /SL4 $D0228 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd03ed46f8,0x7ffd03ed4708,0x7ffd03ed4718

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 288

C:\Users\Admin\AppData\Local\Temp\D98B.exe

"C:\Users\Admin\AppData\Local\Temp\D98B.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd03ed46f8,0x7ffd03ed4708,0x7ffd03ed4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 568

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\Temp\D98B.exe

"C:\Users\Admin\AppData\Local\Temp\D98B.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3272 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3448 -ip 3448

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\D98B.exe

C:\Users\Admin\AppData\Local\Temp\D98B.exe

C:\Users\Admin\AppData\Local\Temp\DFA8.exe

C:\Users\Admin\AppData\Local\Temp\DFA8.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\DD45.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7439294287696564005,11844841415232339528,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 568

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15496407462750164268,16680197279894419549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 226.145.62.23.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 potunulit.org udp
US 188.114.96.0:80 potunulit.org tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 193.42.32.101:80 193.42.32.101 tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 101.32.42.193.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 254.217.0.162.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.15.18.104.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
NL 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
PL 146.59.10.173:45035 tcp
US 8.8.8.8:53 173.10.59.146.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 173.223.118.41:443 learn.microsoft.com tcp
US 8.8.8.8:53 28.146.62.23.in-addr.arpa udp
US 8.8.8.8:53 41.118.223.173.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 84.53.175.81:443 mdec.nelreports.net tcp
US 8.8.8.8:53 81.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 126.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 f806a77b-9616-474a-ace6-ae88b86146a2.uuid.cdneurops.health udp
US 8.8.8.8:53 gudintas.at udp
MX 201.124.210.95:80 gudintas.at tcp
US 8.8.8.8:53 95.210.124.201.in-addr.arpa udp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
US 8.8.8.8:53 server7.cdneurops.health udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun3.l.google.com udp
MX 201.124.210.95:80 gudintas.at tcp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
MX 201.124.210.95:80 gudintas.at tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
N/A 127.0.0.1:443 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/832-1-0x0000000002830000-0x0000000002930000-memory.dmp

memory/832-2-0x00000000042E0000-0x00000000042E9000-memory.dmp

memory/832-3-0x0000000000400000-0x000000000259F000-memory.dmp

memory/776-4-0x0000000002D50000-0x0000000002D66000-memory.dmp

memory/832-5-0x0000000000400000-0x000000000259F000-memory.dmp

memory/832-8-0x00000000042E0000-0x00000000042E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/4728-17-0x0000000004230000-0x00000000042C4000-memory.dmp

memory/4728-18-0x0000000004420000-0x000000000453B000-memory.dmp

memory/3416-19-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/3416-21-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C17C.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

C:\Users\Admin\AppData\Local\Temp\C17C.exe

MD5 c00bb4f6743b66f820229cb1e7f366ea
SHA1 e54b697cf11d1478c9647794d1573800faa27109
SHA256 b23c89dc98fb361f80ae25c1d3e22fc9084f85b5c566ccdfa32c2ca0b5990ff9
SHA512 4b0a469a4a93fee2e0bbc92e0aaedba61be80f49bce71cceeb87c18f101306ae10a45d8ae7c776f430c9d716508e81ae0596000c721b25c4923c323fe8a4e0c0

memory/3416-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1168-27-0x00000000007B0000-0x0000000000842000-memory.dmp

memory/1168-28-0x0000000074980000-0x0000000075130000-memory.dmp

memory/3416-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1168-30-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/1168-31-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/1168-38-0x00000000058A0000-0x0000000005932000-memory.dmp

C:\Users\Admin\AppData\Local\cac3a6c1-89c5-4512-87e3-0ab2b0f08647\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/1168-41-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/1168-42-0x00000000051E0000-0x000000000521A000-memory.dmp

memory/1168-43-0x0000000005240000-0x000000000525A000-memory.dmp

memory/3416-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

C:\Users\Admin\AppData\Local\Temp\CF77.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

C:\Users\Admin\AppData\Local\Temp\CF77.exe

MD5 46ec3f1333f627b301fa9c871343bc9a
SHA1 59483a7dd5c33a5a14c4da9441230f7810cd4329
SHA256 9b9cbe098bcd6261d2ec404c6da54c7977f7d9919b3daac26c72fa30fa8aafe6
SHA512 b64ba101fb60943980826d3b4597fdada8670beb2a927d0a022901c09be1833cfa83b990a67bbada136108146b301436bd6ebdf90b0d36a5c01978ca95413e1d

memory/3596-54-0x00000000041E0000-0x000000000427D000-memory.dmp

memory/1348-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1348-59-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF49.exe

MD5 8fb5884727443d49fe80bccca09a1721
SHA1 be223db10499998670d653d2411ebd98ab65a969
SHA256 e0c42db7f11f4ac812636d9a3f737fb43d40bdc21566f4092441e4cb805302b3
SHA512 a8108837e27ba65ca26456bf7c5502fe8fc6f32ed7e19a867e997675b806e48297eca85c9a1fb8cece2789878674943632f17c033a2406e16a57b842c578aa78

memory/1348-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-67-0x0000000074980000-0x0000000075130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/4224-72-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1160-76-0x00000000020F0000-0x0000000002100000-memory.dmp

memory/1160-84-0x0000000004C80000-0x00000000052A8000-memory.dmp

memory/1168-86-0x0000000074980000-0x0000000075130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\D564.exe

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef

C:\Users\Admin\AppData\Local\Temp\D564.exe

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

memory/1992-116-0x0000000002700000-0x0000000002709000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/3568-129-0x000000000276C000-0x000000000277F000-memory.dmp

memory/3568-132-0x0000000002700000-0x0000000002709000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D98B.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/1160-133-0x0000000004C40000-0x0000000004C62000-memory.dmp

memory/1992-136-0x0000000000400000-0x0000000002599000-memory.dmp

memory/1160-137-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/1160-134-0x0000000005320000-0x0000000005386000-memory.dmp

memory/1160-144-0x0000000005400000-0x0000000005754000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD45.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/3404-161-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3404-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4272-167-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD45.dll

MD5 bd882e889728e1bca4297f27233c43df
SHA1 431fd3c4bf6ef4dbb0bd84f5a4c3a2a17c2fbbbc
SHA256 4d3db3810a53df273816c5499d9898e7ab8e505a2a5b146159a2b4b54f40140b
SHA512 128d344a7f981bdada8fe4405947a7368e03bd66b1cb4271441cf1575b1fa0373a5c251a5ff2e70533ddc296444fc61637cde5675a5fe6100c25b1f291533fcf

memory/1472-184-0x0000000004B80000-0x000000000546B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1580-192-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/1472-199-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PR394.tmp\is-PJQS4.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/2532-190-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

memory/1100-189-0x0000000074980000-0x0000000075130000-memory.dmp

memory/3404-182-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/3968-172-0x0000000004340000-0x000000000445B000-memory.dmp

memory/1472-170-0x0000000004770000-0x0000000004B73000-memory.dmp

memory/3968-169-0x00000000042AE000-0x000000000433F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D98B.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\DFA8.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\DFA8.exe

MD5 29c0efd4710db6a934dcbbb8bd4163be
SHA1 0c3b38142b6a55f7d5398756d1332226ef679a21
SHA256 5069b9107f9de1e2e683a7ea286a4b29bf2e61be2f22e16801877051abbd3a6d
SHA512 7318ff051e4f8feb53ea51516b86f0b6f3fb3b9a5158eb090315bb94da852f928f871edf8103cd7a25ad5ac072677951141d43c9ff234db096f70a2e8fbc00fe

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2532-216-0x000000001BB40000-0x000000001BB50000-memory.dmp

memory/4272-218-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2100-221-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1580-222-0x0000000001110000-0x0000000001116000-memory.dmp

memory/4624-230-0x0000000000C60000-0x0000000000C66000-memory.dmp

memory/776-223-0x00000000080C0000-0x00000000080D6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 09d2bae3b05f4c92b25a8c6225df6483
SHA1 ff084d8a1f43903b95bf9144b3719126a3d40cc8
SHA256 a282e51236ad1fb5eb73b2d8d8cb022213cda792705d8f595b504e2b6d2e00c5
SHA512 2151cb657a649acbc7009b20a0101f4d196a2c3cf4793885f95e8b865fb6da424a17fa139b97e312e2157a559beb5be63c824841c871114fec949d810c92bd2c

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4624-246-0x0000000074980000-0x0000000075130000-memory.dmp

memory/1992-232-0x0000000000400000-0x0000000002599000-memory.dmp

memory/1536-249-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4624-256-0x0000000004F40000-0x000000000504A000-memory.dmp

memory/4624-257-0x0000000004E50000-0x0000000004E62000-memory.dmp

memory/4624-260-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

memory/3404-266-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-269-0x0000000005A40000-0x0000000005A8C000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4996-273-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3340-278-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D98B.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/3340-280-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1100-279-0x000000000419C000-0x000000000422D000-memory.dmp

memory/3340-283-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4996-286-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

memory/1472-274-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D98B.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

memory/4624-259-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

memory/1160-258-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/1536-255-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4624-253-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/1536-247-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

memory/1580-299-0x0000000002E50000-0x0000000002F58000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 3258ad24c6f9dcee0aee246793f11688
SHA1 8043c1d0c94375bccb0221ff2ae890ea9dcac42b
SHA256 d299f038d65638b5295cd9bf73547e6a6d986097ef76b5ba2b6841531b808346
SHA512 9cfc05a80dd8fd92e3dbc04316e0fdcf0de1a37f5bf01d6de543c909aa9ffac769588f744633fa08c7c050624350498e9db6d2297f9e858ba873078102f0dda3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 c0419d05ad443966df72dd199ad71dd8
SHA1 0ba0b1ddfbd9e45879342dba9191efbc478edf05
SHA256 49e4e0f0690e9d8e830bd520e4cd37e616a530274c6b9ce978f11c122c19696b
SHA512 e63bd124dd8d1b8993b42507a81e39c74edabfc5798cef0869638f3c2ee95a4646aab829d0d974e7912d7fa127f1098d98b92d31b4b01e1d4b4ddfd8e6e84c91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 0a9b5f384de323d2461958f5b187d303
SHA1 58524840633eae4b7284ef7f4bb2ac553bd1730a
SHA256 6b8cb2a8c5e1c14eb00cf4e6a32332f974781400e45729bae5fd3b3b6a39182d
SHA512 189d45e74c14daf1d2fb14c753739e8da314058a202defd08fe5c98099b807543b717f0e1cbbaf232d2a941d34851f938f125011ccdcec78d0f30624bacf3766

memory/3404-236-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2532-234-0x00007FFD07900000-0x00007FFD083C1000-memory.dmp

memory/1160-309-0x0000000074980000-0x0000000075130000-memory.dmp

memory/1580-313-0x0000000010000000-0x00000000101A4000-memory.dmp

memory/4624-217-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-83SD2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-83SD2.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-83SD2.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvfdfabx.u45.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6b04bb71c75f6646c95d6fcca615e8ab
SHA1 aac52c673b2898bb41937e0b027b3c584a5ef74f
SHA256 eeef0f292585e22a9fe0f82131377c1c607f1181a74ccc457fa625aa7ea48785
SHA512 7d5e4e0e0c59c3e1e924dc2d5cb39b18dee6bf562fa53b0500cd7184881fee0682049bd39e096f85cd115468fc471f17348da9365ac5f0276b7d615b582a5a8e

\??\pipe\LOCAL\crashpad_3764_ZLENBOLZDULLYMAF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2992-128-0x0000000074980000-0x0000000075130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D98B.exe

MD5 81a0054a8065b79186a98a212a2d6a5e
SHA1 41a44da8581e024bd20d7ce1310f9b22ccecac90
SHA256 2d3ae3269ec97d38dd211442594f312e31d0f69aa09f8bbc4455d92a00ac9181
SHA512 31faa459ab4bbb7c2ca22cbaedf6d572c9250f0eb005d828c5e7a24e4ee98d46431db8589b207a059882f1984eb82fc976908196ce8f7892e6b7b3f4b2f98b72

memory/4692-126-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4692-121-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1100-119-0x0000000000170000-0x00000000002E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1992-114-0x0000000002740000-0x0000000002840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bb924d501954bee604c97534385ecbda
SHA1 05a480d2489f18329fb302171f1b077aa5da6fd2
SHA256 c69c012e1a7a4bd10e44563b48329341f3172715ed3c18b40cb6d05a7f704372
SHA512 23a0464bace69318a013e9e4e9dc34dcf232897fb7a3cf8af33d9bc9e3bbb209e9b7198e9d43cb97a174a45ad82f9c7d52ddadf5b069281092fab0aa2d3d58e0

memory/4260-73-0x00007FF70FF00000-0x00007FF70FFA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/1160-69-0x00000000020F0000-0x0000000002100000-memory.dmp

memory/1160-65-0x0000000002140000-0x0000000002176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 4c6c11197bbcbdf3a66c9dc1fd7b542f
SHA1 78912bac8af6ed28ba23e58d5e63614444ef64e1
SHA256 830b8d661d5e404c05d5b2b2f5361ab2da6fecc90a561de81354e7840bfc5b63
SHA512 5fd8e96127ec349585e7c925f2692cafa6b5a2bfbd963acea96aa03179e6ea641b4b0fd7e279f63c0102ae93518e90da74e644150cb92a36f7503b6ab9e74948

memory/2992-53-0x0000000074980000-0x0000000075130000-memory.dmp

memory/2992-52-0x00000000004F0000-0x0000000000B84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a8ebc87bb3b0e721f9979e725e4637d7
SHA1 f03fa2c802cb700f4b86f18321bf143823f0d313
SHA256 95f46bc1b30c7e9a4f8b2023814024a797a8d201bda5cc8c7e7dc4f91694d5fa
SHA512 6dd445daa0e906bd57133a6d8ef6709b1629a4177b1162691648750cdf611d462b3b5c53e276cf3f5e2192a0ee04134abb99821eff325050604c70a39393e4bb

memory/1580-342-0x0000000002F60000-0x000000000304D000-memory.dmp

memory/1580-345-0x0000000002F60000-0x000000000304D000-memory.dmp

memory/2100-348-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7391eed5134bc502e62a13ffa46303af
SHA1 643f3a44decf464e9a26f37fc19861b260832bb9
SHA256 5970837de26d3a19b7baf61c83422d12aabe49d707a38c7d96a694c807d9ce4a
SHA512 ab796866d97063f6a1c84d427363ed2f7b9d9fcd297dd6248b62de92165cdefec2e168ba266ba2bbaa8daa9a0d98f23969e2ea4dd7a4b44e05c0f0022a4ff8c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a8ebc87bb3b0e721f9979e725e4637d7
SHA1 f03fa2c802cb700f4b86f18321bf143823f0d313
SHA256 95f46bc1b30c7e9a4f8b2023814024a797a8d201bda5cc8c7e7dc4f91694d5fa
SHA512 6dd445daa0e906bd57133a6d8ef6709b1629a4177b1162691648750cdf611d462b3b5c53e276cf3f5e2192a0ee04134abb99821eff325050604c70a39393e4bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ea3eb562ae6832a2bf0785ceadcfec6b
SHA1 a55773b14d3350c6fdf9075dda3cba0f8d038247
SHA256 e27b73ea096a878a86c216f6903a35b06353f68379f9c9d000d9a32fe0d4def6
SHA512 a98bc0f24e22535bf59dee45e7aefbccd24ef9ee4bb9c866cb29653bda9bfe714405dabef18260b3209cd542f714df6e04c2d39478b0d22e98019a52b08b1649

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 986c303b18fee9ff0b1fcbc40c7e5971
SHA1 67f5952d6b7ece70a0aabf1a855440437b5965cf
SHA256 ac1ef9bea10874e73614075d79a7a364ada8e77176d0bbc9bfce5b46b67fa931
SHA512 85e0b30881b42b3bf7464f15f234395a693e7fe45ab5822307dbb8830a7904e8e4995fdd88201d8d67a2e8a709a88a6a9a7b0472bcf940d97cef5cb5907d758b

memory/1580-392-0x0000000002F60000-0x000000000304D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7391eed5134bc502e62a13ffa46303af
SHA1 643f3a44decf464e9a26f37fc19861b260832bb9
SHA256 5970837de26d3a19b7baf61c83422d12aabe49d707a38c7d96a694c807d9ce4a
SHA512 ab796866d97063f6a1c84d427363ed2f7b9d9fcd297dd6248b62de92165cdefec2e168ba266ba2bbaa8daa9a0d98f23969e2ea4dd7a4b44e05c0f0022a4ff8c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a8ebc87bb3b0e721f9979e725e4637d7
SHA1 f03fa2c802cb700f4b86f18321bf143823f0d313
SHA256 95f46bc1b30c7e9a4f8b2023814024a797a8d201bda5cc8c7e7dc4f91694d5fa
SHA512 6dd445daa0e906bd57133a6d8ef6709b1629a4177b1162691648750cdf611d462b3b5c53e276cf3f5e2192a0ee04134abb99821eff325050604c70a39393e4bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

\??\pipe\LOCAL\crashpad_1564_WYZXOQNIHQWIZJSS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0eb7dc686307e9d4f249bef8faaea013
SHA1 f7cd6cebe46c2562ca926e1b243172541de69b9f
SHA256 a5d7b366d432df831734f6400b4bd800dcd958e5e30c81a26a31f7f35f9569bc
SHA512 050bc8fcd571f5bd0d4ac2ab50cf2d685a75256019298871369fe3cccb88bd028f4c87114557abf90468c83ad7d54a514733c883e6e77f8e4fd911b6d2e8c96f

memory/1472-516-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ebceb978bb105b84ab36aba9daaf422
SHA1 dae14d204277ccf4aad8e3dcb068b0f8ec2ce217
SHA256 e39e7276d4d05dbbdf475650896fe05b27ad7be7b3b319c02c373909431e1d3b
SHA512 11f63dda3e4256f121a023cc37412ed4473eeba6d5a481e22c0488823697d6e73d64dd5db2008e5a5b7b081f36577d60f31efe9f4c4621dad17c2121700c37bb

memory/4996-591-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f27c7c41f69a07de160f7410298547b4
SHA1 42be1ecb3b6a0d51871da49dc3c581fee4274d7a
SHA256 437b70be17dcca7b4c722cbcbe0b397d7997eb516b376579c6f02d6449a7252b
SHA512 2b6906e14b48cd6989c2bf1ac5cf4ca60b0d43647f2d2ffef5eeb6082d2bc248424295e90737280ceb4a0210dba6235bfb12aeff38f06447fd3f6f932fe49945

memory/1472-606-0x0000000000400000-0x0000000002985000-memory.dmp

memory/5672-608-0x0000000000400000-0x0000000002985000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 21bdc4635e67b42af297b5d422b47cdc
SHA1 da08dd00ae5bc0da5ec6433569bcc68c4a8a9410
SHA256 f73bfbd1b920825c536bef691413cd8ae7ea01fb869172da38e4775660e96287
SHA512 626aa66348c62b9b7cdb63eb15be3b7cfc9f3d056ad6b05f183e11a5a2e5143448f5797686bbc8039ef6b01e86dd61c3d8639a20dd7298ec4fba9e140329c6a5

C:\Users\Admin\AppData\Roaming\uvceheg

MD5 f13c46c4500e163f3fe8a6e4d6c9a67e
SHA1 d24ebe94d1c630980e6a87058e3300ed0d9866f9
SHA256 d0aac820e2a832759cf1fe873cebe6e45649de81393b1bd631455274011ed03b
SHA512 dfdf41f09d13cc62eca75339a19ad0006a5f81f4aa8dc9c06753508c0b2c8e08475e6da59b09fe295b1d29a36fbbc65fb5f1f0d5a9c6b21a7151efefaa8cd4ef