Malware Analysis Report

2025-06-16 02:09

Sample ID 231002-h21kjshg26
Target 3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f
SHA256 3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f
Tags
amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot genda up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f

Threat Level: Known bad

The file 3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f was found to be: Known bad.

Malicious Activity Summary

amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot genda up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan

Glupteba

Detects Healer an antivirus disabler dropper

SmokeLoader

Mystic

Glupteba payload

Fabookie

Amadey

DcRat

RedLine payload

Detect Fabookie payload

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Uses the VBS compiler for execution

Windows security modification

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 07:14

Reported

2023-10-02 07:17

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D602.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCAA.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D602.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCAA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E258.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E595.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CEBA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-B9TG6.tmp C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-OT4SR.tmp C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-SNJKF.tmp C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-KVM3P.tmp C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D48A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3268 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe
PID 3268 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe
PID 3268 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe
PID 1092 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1092 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 1092 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\CEBA.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
PID 3668 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3668 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3668 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
PID 3268 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe
PID 3268 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe
PID 3268 wrote to memory of 1660 N/A N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe
PID 1820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 1820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 1820 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
PID 2512 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2512 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 2512 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
PID 3268 wrote to memory of 2140 N/A N/A C:\Windows\system32\cmd.exe
PID 3268 wrote to memory of 2140 N/A N/A C:\Windows\system32\cmd.exe
PID 3792 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 3792 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 3792 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\D08F.exe C:\Windows\SysWOW64\cmd.exe
PID 3268 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe
PID 3268 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe
PID 3268 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe
PID 3268 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\D48A.exe
PID 3268 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\D48A.exe
PID 2140 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3268 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D602.exe
PID 3268 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D602.exe
PID 3268 wrote to memory of 1724 N/A N/A C:\Users\Admin\AppData\Local\Temp\D602.exe
PID 1676 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2140 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 660 wrote to memory of 1404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 660 wrote to memory of 1404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1412 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\D3FC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe

"C:\Users\Admin\AppData\Local\Temp\3abcddaeacf95d344fd8dab6a68a27c4e0bdad5ba575ff42e6d2b8de8a042b3f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4676 -ip 4676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 412

C:\Users\Admin\AppData\Local\Temp\CEBA.exe

C:\Users\Admin\AppData\Local\Temp\CEBA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\D08F.exe

C:\Users\Admin\AppData\Local\Temp\D08F.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D1E8.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1660 -ip 1660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 136

C:\Users\Admin\AppData\Local\Temp\D3FC.exe

C:\Users\Admin\AppData\Local\Temp\D3FC.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\D48A.exe

C:\Users\Admin\AppData\Local\Temp\D48A.exe

C:\Users\Admin\AppData\Local\Temp\D602.exe

C:\Users\Admin\AppData\Local\Temp\D602.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb767446f8,0x7ffb76744708,0x7ffb76744718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb767446f8,0x7ffb76744708,0x7ffb76744718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\E258.exe

C:\Users\Admin\AppData\Local\Temp\E258.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,16926744591136153616,430400216820986645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,16926744591136153616,430400216820986645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp" /SL4 $70226 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\E595.exe

C:\Users\Admin\AppData\Local\Temp\E595.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 156

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\DCAA.exe

C:\Users\Admin\AppData\Local\Temp\DCAA.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2219185344900369131,8069327282608920836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 a4628e45-12f1-4bd4-aa72-0306aa6acd9a.uuid.ramboclub.net udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server15.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.48:443 server15.ramboclub.net tcp
US 142.251.125.127:19302 stun1.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.55:19071 tcp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp
DE 148.251.234.93:443 iplogger.com tcp
DE 148.251.234.93:443 iplogger.com tcp

Files

memory/3632-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3632-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3268-2-0x0000000003400000-0x0000000003416000-memory.dmp

memory/3632-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEBA.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\CEBA.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\D08F.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\D08F.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\D1E8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/4164-56-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4164-57-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4164-58-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4164-59-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3FC.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\D3FC.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\D48A.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1988-68-0x0000000000840000-0x000000000084A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D48A.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1988-69-0x00007FFB75530000-0x00007FFB75FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D602.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\D602.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc1545f40e709a9447a266260fdc751e
SHA1 8afed6d761fb82c918c1d95481170a12fe94af51
SHA256 3dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48
SHA512 ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f

memory/4900-78-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3268-83-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-87-0x0000000008C10000-0x0000000008C20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4900-92-0x0000000073410000-0x0000000073BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DCAA.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

memory/3268-98-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/4900-103-0x00000000080A0000-0x0000000008644000-memory.dmp

memory/3268-110-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-109-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-114-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/4900-113-0x0000000007BD0000-0x0000000007C62000-memory.dmp

memory/3268-112-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-117-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-120-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-118-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-125-0x0000000003560000-0x0000000003570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/2944-144-0x00007FF639580000-0x00007FF6395EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1416-184-0x00000000004A0000-0x0000000000614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E258.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

memory/3268-188-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/4900-192-0x0000000007F10000-0x0000000007F4C000-memory.dmp

memory/4164-191-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5004-197-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3268-196-0x0000000008C10000-0x0000000008C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/1416-206-0x0000000073410000-0x0000000073BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4872-204-0x0000000002870000-0x0000000002970000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/1988-195-0x00007FFB75530000-0x00007FFB75FF1000-memory.dmp

memory/4900-194-0x0000000008650000-0x000000000869C000-memory.dmp

memory/3268-187-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/4900-186-0x0000000007EB0000-0x0000000007EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\E595.exe

MD5 264d1eb69bcce00fdf11a6a39472dd0a
SHA1 e466c80da7f961743681b6dbdae3eaa0756a4dcd
SHA256 a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79
SHA512 f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

memory/4900-180-0x0000000007F80000-0x000000000808A000-memory.dmp

memory/4872-179-0x0000000002710000-0x0000000002719000-memory.dmp

memory/3268-177-0x0000000003550000-0x0000000003553000-memory.dmp

memory/4900-176-0x0000000008C70000-0x0000000009288000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/3268-172-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-170-0x0000000008C10000-0x0000000008C20000-memory.dmp

\??\pipe\LOCAL\crashpad_1676_ASFKZAOQFCACUQVR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_660_WAONUJIIKCXYGEPM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4900-220-0x0000000073410000-0x0000000073BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2384-237-0x00000000006B0000-0x000000000070A000-memory.dmp

memory/5668-251-0x0000000000950000-0x0000000000958000-memory.dmp

memory/5608-259-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bedc5055ef89056b7e751d3ee92f5fa0
SHA1 82dd6c63528460210a5b8318079adde77e5923ef
SHA256 021b857f5702e5607e0648787ff065cdf6a69f82516f2e6c46a94c218ed20847
SHA512 1e54cc71f4f2e579f8e44e88bb7706143c74b4e220e7a60bb24c69d35ca35afebcb2a9bc18a4f101988b8b74aafc98627fc99ea485c5fef99e20a2559ddc9a00

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/5460-235-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/4088-221-0x0000000004560000-0x0000000004967000-memory.dmp

memory/5004-214-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E595.exe

MD5 264d1eb69bcce00fdf11a6a39472dd0a
SHA1 e466c80da7f961743681b6dbdae3eaa0756a4dcd
SHA256 a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79
SHA512 f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9

memory/4088-212-0x0000000004A70000-0x000000000535B000-memory.dmp

memory/3224-158-0x0000000000CA0000-0x0000000000E5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

memory/1416-262-0x0000000073410000-0x0000000073BC0000-memory.dmp

memory/4088-264-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-3304N.tmp\is-19V7V.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/2384-288-0x0000000000400000-0x000000000046A000-memory.dmp

memory/5668-287-0x0000000001210000-0x0000000001220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fbbc931c3ecb58690263558cff22ddd
SHA1 2448ba69f7cfe02d61a02e9d3b61ad69672df5db
SHA256 d5f17979ae4eb8b9e24a1ce12851c0277ea5c0b361c35d9dcdfa4e332cee36f2
SHA512 f603e78d4af4eef7df65d492302977a09496207ef2f7b12fd8c4c1c07ca4ce62aa5c5c3ae619a1d6ac6ba77a4464b354b5e8c0f489ed32fef32549fe51e7df06

memory/3268-152-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/4900-151-0x0000000007D00000-0x0000000007D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/3268-145-0x0000000008C10000-0x0000000008C20000-memory.dmp

memory/3268-142-0x0000000008C10000-0x0000000008C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\E258.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/4900-129-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

memory/3268-124-0x0000000008C10000-0x0000000008C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

memory/3268-116-0x0000000003560000-0x0000000003570000-memory.dmp

memory/3268-115-0x0000000008C10000-0x0000000008C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\DCAA.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

memory/3268-94-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1222f8c867acd00b1fc43a44dacce158
SHA1 586ba251caf62b5012a03db9ba3a70890fc5af01
SHA256 1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512 ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

memory/3268-289-0x0000000003550000-0x0000000003566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B52FT.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-B52FT.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3224-313-0x0000000000CA0000-0x0000000000E5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B52FT.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/5608-295-0x0000000005320000-0x0000000005326000-memory.dmp

memory/5004-294-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 20e0bba960ce88133a6884caad46664b
SHA1 d0483dd03a6ff1a519edfb8e609b12373b287126
SHA256 05cb4d89c30cfe8e12d8394c68b39b584df158de79151bda84668fd8253516d9
SHA512 cc0fd1e95aaad4162b6cd133579e57ab207774e10b4444fae5b13e9ec200529b3cf352b747247e11becd407ff4624b4bfffa2000cc55a20948912fdc46a03e2c

memory/5460-335-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bedc5055ef89056b7e751d3ee92f5fa0
SHA1 82dd6c63528460210a5b8318079adde77e5923ef
SHA256 021b857f5702e5607e0648787ff065cdf6a69f82516f2e6c46a94c218ed20847
SHA512 1e54cc71f4f2e579f8e44e88bb7706143c74b4e220e7a60bb24c69d35ca35afebcb2a9bc18a4f101988b8b74aafc98627fc99ea485c5fef99e20a2559ddc9a00

memory/5668-337-0x00007FFB75530000-0x00007FFB75FF1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4196-340-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5608-342-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/2384-347-0x0000000073410000-0x0000000073BC0000-memory.dmp

memory/1988-354-0x00007FFB75530000-0x00007FFB75FF1000-memory.dmp

memory/5608-353-0x0000000073410000-0x0000000073BC0000-memory.dmp

memory/2672-356-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5912-341-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2672-371-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2384-364-0x0000000008100000-0x0000000008166000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4196-336-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4088-293-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5912-386-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2944-387-0x00000000035D0000-0x0000000003741000-memory.dmp

memory/2944-388-0x0000000003750000-0x0000000003881000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 645431d185a524b090bfb513082015fa
SHA1 96fd6b88187e2af8b58bfc543bb009f61c7ebbfa
SHA256 59e3a468ed6c4f91497e979b243137f3ea7c369a172e6a2046b698da9997b44d
SHA512 c2587775dd1c2b9ad12169acf928d6a2ce51d475148028de00e24ddf2eca858eba495a336845c0a858081c76176ce353030c3a0ca31a624d16672dcac33a651b

memory/5628-407-0x0000000073410000-0x0000000073BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 15ad31a14e9a92d2937174141e80c28d
SHA1 b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256 bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512 ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296

memory/3268-412-0x0000000003560000-0x0000000003570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 35a76de3d00c6d3f7860af1884fb972f
SHA1 2aa2f7e2559cf48483b571f6f857def111ab3f96
SHA256 c70a1f77b7689046ca34c92045a5a3d46b616109cde6fd81fdc8f7e784f50625
SHA512 776f405a6a6f5bc06e06da7d78c29eb80d576c037d62c8954eb9647ac79efd214078478194070fff3fb4a49b1367cc1234cc46089837204087ccde8151d8cc39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1d617c905959d9e2fc9f12985d8c1907
SHA1 854d18bc0b41c24c1cec54a1c5500c64a2e984ea
SHA256 e6f5f959d24651006b777580ed1efb824d7fddc372c1bdb3f5fb126fff035f5e
SHA512 f1752bc0b6f831e10247a8359ba8303468845e9d4974c3ddb295f4a7e776a234ea7d0997292427f9de5ab381a34c02f37f7af8f5867ef91515b56d827a134455

memory/5608-425-0x0000000005900000-0x0000000005976000-memory.dmp

memory/3268-411-0x0000000003560000-0x0000000003570000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fb23805c372d6a31e6a789b36c463333
SHA1 a4a5dfbf3471351dbc1bbc9455ba65684483e37c
SHA256 1407bedeb57ca6d28ee2dc6a478eca0f076f5fbc63a7da2f5699ecd8be5bbb61
SHA512 4a1ef976f57b53e366250eff2a332f76d53c79cddcdbaa54d2fa28c204643c7ecbda8110f56350dab3d2dd53c350b9f6fedf9328383c077714dcf0362b498e6d

memory/4900-483-0x0000000007D00000-0x0000000007D10000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d240e48d71571ce4531274e5554e8127
SHA1 e074b5c9cb6baa93977ae9ebda90711a9df84d0e
SHA256 62549903e5c68b63e8b95f668d7b107b795d0d2561e657d394da211e67560a38
SHA512 32ad4d1ebefe78c38dbec0d3476b194d4622f0a327a41275c3319be3fd928ced0ba24e06dc58a1342e4910a6aced72d4848c81b918d56e1d9bac0f2cec0581b1

memory/4088-499-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_negfmtnm.tbf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4088-612-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2672-618-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4088-652-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2660-657-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2672-659-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/2660-714-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4