Analysis Overview
SHA256
27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b
Threat Level: Known bad
The file 27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
RedLine payload
Glupteba
Amadey
Fabookie
Mystic
DcRat
RedLine
Healer
Detect Fabookie payload
Detects Healer an antivirus disabler dropper
Glupteba payload
SmokeLoader
Modifies Windows Firewall
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Manipulates WinMonFS driver.
Drops file in System32 directory
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Runs net.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-02 07:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-02 07:21
Reported
2023-10-02 07:24
Platform
win10v2004-20230915-en
Max time kernel
115s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Fabookie
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DD26.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\E759.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\D60D.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5088 set thread context of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4860 set thread context of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\D708.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3476 set thread context of 1044 | N/A | C:\Users\Admin\AppData\Local\Temp\D9F8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3580 set thread context of 2552 | N/A | C:\Windows\System32\CompPkgSrv.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3344 set thread context of 4268 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 4800 set thread context of 5468 | N/A | C:\Users\Admin\AppData\Local\Temp\EBFD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\PA Previewer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\PA Previewer\previewer.exe | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-UJPDH.tmp | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-O0F3H.tmp | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-3LVPP.tmp | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-E0GI9.tmp | C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DB12.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b.exe
"C:\Users\Admin\AppData\Local\Temp\27096dae0858172c7f4a562e55a10e0e1630ac050b6b7ee160c7541461d74f4b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5088 -ip 5088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 148
C:\Users\Admin\AppData\Local\Temp\D60D.exe
C:\Users\Admin\AppData\Local\Temp\D60D.exe
C:\Users\Admin\AppData\Local\Temp\D708.exe
C:\Users\Admin\AppData\Local\Temp\D708.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D860.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
C:\Users\Admin\AppData\Local\Temp\D9F8.exe
C:\Users\Admin\AppData\Local\Temp\D9F8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
C:\Users\Admin\AppData\Local\Temp\DB12.exe
C:\Users\Admin\AppData\Local\Temp\DB12.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 152
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Users\Admin\AppData\Local\Temp\DD26.exe
C:\Users\Admin\AppData\Local\Temp\DD26.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff932ee46f8,0x7ff932ee4708,0x7ff932ee4718
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3476 -ip 3476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 152
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\E759.exe
C:\Users\Admin\AppData\Local\Temp\E759.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 152
C:\Users\Admin\AppData\Local\Temp\EBFD.exe
C:\Users\Admin\AppData\Local\Temp\EBFD.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
C:\Users\Admin\AppData\Local\Temp\F19C.exe
C:\Users\Admin\AppData\Local\Temp\F19C.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff932ee46f8,0x7ff932ee4708,0x7ff932ee4718
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe
C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp" /SL4 $A011A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3073937278582116984,6759758323536088783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F19C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff932ee46f8,0x7ff932ee4708,0x7ff932ee4718
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F19C.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff932ee46f8,0x7ff932ee4708,0x7ff932ee4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3484954205574585880,10916829268284891265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3484954205574585880,10916829268284891265,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8830813824033972336,18057538127628108060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| MD | 176.123.4.46:33783 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.4.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.6.160:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.6.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.67:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| IE | 34.241.182.209:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.182.241.34.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | fff86fcd-e809-4e04-8f93-491fb4e1db4a.uuid.ramboclub.net | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | server10.ramboclub.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 74.125.128.127:19302 | stun.l.google.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.48:443 | server10.ramboclub.net | tcp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.216.82.185.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | datasheet.fun | udp |
| US | 104.21.89.251:80 | datasheet.fun | tcp |
| US | 8.8.8.8:53 | 251.89.21.104.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
Files
memory/3580-0-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3580-1-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3172-2-0x0000000003350000-0x0000000003366000-memory.dmp
memory/3580-3-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D60D.exe
| MD5 | 099b3d4378bb94aa106135ed1fc4d922 |
| SHA1 | 2f9609032c3aea88a01321ce705a5fcded2a74d8 |
| SHA256 | 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db |
| SHA512 | 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe |
C:\Users\Admin\AppData\Local\Temp\D60D.exe
| MD5 | 099b3d4378bb94aa106135ed1fc4d922 |
| SHA1 | 2f9609032c3aea88a01321ce705a5fcded2a74d8 |
| SHA256 | 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db |
| SHA512 | 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe |
C:\Users\Admin\AppData\Local\Temp\D708.exe
| MD5 | 681a1edcbe145ff2480a0eff775117f0 |
| SHA1 | 9d3ac177ae0166f168b06711c10495065ac460f5 |
| SHA256 | c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41 |
| SHA512 | 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
| MD5 | a67fb4171f897930464e5f48ca226432 |
| SHA1 | 596933d03d071a6653c67e01cc047c934649aba2 |
| SHA256 | 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669 |
| SHA512 | 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gs2nk2Lc.exe
| MD5 | a67fb4171f897930464e5f48ca226432 |
| SHA1 | 596933d03d071a6653c67e01cc047c934649aba2 |
| SHA256 | 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669 |
| SHA512 | 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52 |
C:\Users\Admin\AppData\Local\Temp\D708.exe
| MD5 | 681a1edcbe145ff2480a0eff775117f0 |
| SHA1 | 9d3ac177ae0166f168b06711c10495065ac460f5 |
| SHA256 | c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41 |
| SHA512 | 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
| MD5 | 24a8217ddd7bb28c2aabe78e51ae4b7c |
| SHA1 | 3a521565cd894883b72b73bdfc2053aa1a60bbf6 |
| SHA256 | 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b |
| SHA512 | 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
| MD5 | 852c0f3c1b7ce4d69fffd93b5e02a93f |
| SHA1 | d58b19886548efa210002ff03eb900c336c5d2e2 |
| SHA256 | ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa |
| SHA512 | ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cY6Eg9xY.exe
| MD5 | 852c0f3c1b7ce4d69fffd93b5e02a93f |
| SHA1 | d58b19886548efa210002ff03eb900c336c5d2e2 |
| SHA256 | ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa |
| SHA512 | ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IN4Tk4cT.exe
| MD5 | 24a8217ddd7bb28c2aabe78e51ae4b7c |
| SHA1 | 3a521565cd894883b72b73bdfc2053aa1a60bbf6 |
| SHA256 | 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b |
| SHA512 | 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903 |
C:\Users\Admin\AppData\Local\Temp\D860.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
| MD5 | 7f6112421b9caa7f2b9f690297d3dc26 |
| SHA1 | de8a94e43e7943fef6a2d5e27b87a334fb30fb89 |
| SHA256 | 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0 |
| SHA512 | 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb |
C:\Users\Admin\AppData\Local\Temp\D9F8.exe
| MD5 | e807b615389cd0c7d8d2334b0eb6fd86 |
| SHA1 | f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f |
| SHA256 | 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc |
| SHA512 | 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ps1dG7Lt.exe
| MD5 | 7f6112421b9caa7f2b9f690297d3dc26 |
| SHA1 | de8a94e43e7943fef6a2d5e27b87a334fb30fb89 |
| SHA256 | 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0 |
| SHA512 | 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
| MD5 | 6de25e4bd7e214f28e993a708dd8a3fe |
| SHA1 | c7dde639c9b312d47acf3ff82a965a321294622b |
| SHA256 | e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003 |
| SHA512 | 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7 |
memory/2960-59-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\IM2ly51.exe
| MD5 | 6de25e4bd7e214f28e993a708dd8a3fe |
| SHA1 | c7dde639c9b312d47acf3ff82a965a321294622b |
| SHA256 | e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003 |
| SHA512 | 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7 |
memory/2960-61-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2960-60-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2960-66-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB12.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/2960-68-0x0000000000400000-0x0000000000428000-memory.dmp
memory/752-67-0x00000000008E0000-0x00000000008EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D9F8.exe
| MD5 | e807b615389cd0c7d8d2334b0eb6fd86 |
| SHA1 | f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f |
| SHA256 | 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc |
| SHA512 | 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069 |
C:\Users\Admin\AppData\Local\Temp\DB12.exe
| MD5 | 7e93bacbbc33e6652e147e7fe07572a0 |
| SHA1 | 421a7167da01c8da4dc4d5234ca3dd84e319e762 |
| SHA256 | 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38 |
| SHA512 | 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91 |
memory/752-70-0x00007FF9317A0000-0x00007FF932261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DD26.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\DD26.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
| MD5 | 06e9db049239b88264bb41e6c189c2db |
| SHA1 | 6c2028fd438f4a298535ce0a4f1273d5b325e008 |
| SHA256 | b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c |
| SHA512 | a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Jn21gx.exe
| MD5 | 06e9db049239b88264bb41e6c189c2db |
| SHA1 | 6c2028fd438f4a298535ce0a4f1273d5b325e008 |
| SHA256 | b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c |
| SHA512 | a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d |
memory/1044-81-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
| MD5 | 30dd294af58c1b8e5b95055f90755d5a |
| SHA1 | 84dfdbaf07fc2803450a3857e81128c86da01aaf |
| SHA256 | 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2 |
| SHA512 | 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/1044-86-0x0000000072D20000-0x00000000734D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LI279Qb.exe
| MD5 | 30dd294af58c1b8e5b95055f90755d5a |
| SHA1 | 84dfdbaf07fc2803450a3857e81128c86da01aaf |
| SHA256 | 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2 |
| SHA512 | 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29 |
memory/1044-94-0x00000000072D0000-0x0000000007362000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
memory/1044-88-0x00000000077E0000-0x0000000007D84000-memory.dmp
memory/1044-96-0x0000000007270000-0x0000000007280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E759.exe
| MD5 | 3c81534d635fbe4bfab2861d98422f70 |
| SHA1 | 9cc995fa42313cd82eacaad9e3fe818cd3805f58 |
| SHA256 | 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f |
| SHA512 | 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136 |
C:\Users\Admin\AppData\Local\Temp\E759.exe
| MD5 | 3c81534d635fbe4bfab2861d98422f70 |
| SHA1 | 9cc995fa42313cd82eacaad9e3fe818cd3805f58 |
| SHA256 | 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f |
| SHA512 | 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136 |
memory/1044-102-0x00000000072B0000-0x00000000072BA000-memory.dmp
memory/2552-107-0x0000000072D20000-0x00000000734D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ss41.exe
| MD5 | 83330cf6e88ad32365183f31b1fd3bda |
| SHA1 | 1c5b47be2b8713746de64b39390636a81626d264 |
| SHA256 | 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e |
| SHA512 | e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 528b5dc5ede359f683b73a684b9c19f6 |
| SHA1 | 8bff4feae6dbdaafac1f9f373f15850d08e0a206 |
| SHA256 | 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9 |
| SHA512 | 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb |
memory/2552-130-0x0000000007460000-0x0000000007470000-memory.dmp
memory/4256-122-0x00007FF720890000-0x00007FF7208FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 528b5dc5ede359f683b73a684b9c19f6 |
| SHA1 | 8bff4feae6dbdaafac1f9f373f15850d08e0a206 |
| SHA256 | 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9 |
| SHA512 | 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb |
memory/1044-142-0x00000000083B0000-0x00000000089C8000-memory.dmp
memory/2552-143-0x00000000077E0000-0x00000000078EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
memory/1044-162-0x0000000007570000-0x00000000075AC000-memory.dmp
memory/3344-164-0x00000000025F0000-0x00000000025F9000-memory.dmp
memory/4268-172-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2288-170-0x0000000000480000-0x00000000005F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EBFD.exe
| MD5 | 965fcf373f3e95995f8ae35df758eca1 |
| SHA1 | a62d2494f6ba8a02a80a02017e7c347f76b18fa6 |
| SHA256 | 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39 |
| SHA512 | 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52 |
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
memory/3344-160-0x0000000002720000-0x0000000002820000-memory.dmp
memory/1044-149-0x0000000007510000-0x0000000007522000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7ea584dc49967de03bebdacec829b18d |
| SHA1 | 3d47f0e88c7473bedeed2f14d7a8db1318b93852 |
| SHA256 | 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53 |
| SHA512 | ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7ea584dc49967de03bebdacec829b18d |
| SHA1 | 3d47f0e88c7473bedeed2f14d7a8db1318b93852 |
| SHA256 | 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53 |
| SHA512 | ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
memory/4800-134-0x0000000000950000-0x0000000000B0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7ea584dc49967de03bebdacec829b18d |
| SHA1 | 3d47f0e88c7473bedeed2f14d7a8db1318b93852 |
| SHA256 | 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53 |
| SHA512 | ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 528b5dc5ede359f683b73a684b9c19f6 |
| SHA1 | 8bff4feae6dbdaafac1f9f373f15850d08e0a206 |
| SHA256 | 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9 |
| SHA512 | 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb |
C:\Users\Admin\AppData\Local\Temp\EBFD.exe
| MD5 | 965fcf373f3e95995f8ae35df758eca1 |
| SHA1 | a62d2494f6ba8a02a80a02017e7c347f76b18fa6 |
| SHA256 | 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39 |
| SHA512 | 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52 |
memory/2288-175-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/4268-182-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
memory/1572-184-0x0000000004660000-0x0000000004A59000-memory.dmp
memory/752-183-0x00007FF9317A0000-0x00007FF932261000-memory.dmp
memory/1572-185-0x0000000004A60000-0x000000000534B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F19C.exe
| MD5 | 264d1eb69bcce00fdf11a6a39472dd0a |
| SHA1 | e466c80da7f961743681b6dbdae3eaa0756a4dcd |
| SHA256 | a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79 |
| SHA512 | f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 528b5dc5ede359f683b73a684b9c19f6 |
| SHA1 | 8bff4feae6dbdaafac1f9f373f15850d08e0a206 |
| SHA256 | 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9 |
| SHA512 | 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb |
memory/2552-177-0x00000000078F0000-0x000000000793C000-memory.dmp
memory/1572-197-0x0000000000400000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 20b617514c90ec81d25b616ec2776882 |
| SHA1 | 6f92edcf7fd94aa516698d7e9da087cadb59ad5c |
| SHA256 | 77f3f9de46c44516436a392ca3061d10ac26198fe432e26b5902e6e4fa605387 |
| SHA512 | e9cfeca5d07d713779078b365bdc96f575a40426cbf25e123484f68564ebf2c3813a80bc9547e6ff953c40fe0ff714a6139794b14a6d075b05bdac5a748fe13d |
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
memory/5468-220-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
memory/5468-243-0x0000000000FA0000-0x0000000000FA6000-memory.dmp
memory/4800-246-0x0000000000950000-0x0000000000B0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp
| MD5 | 2fba5642cbcaa6857c3995ccb5d2ee2a |
| SHA1 | 91fe8cd860cba7551fbf78bc77cc34e34956e8cc |
| SHA256 | ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa |
| SHA512 | 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c |
memory/2288-250-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/5736-249-0x0000000000A90000-0x0000000000ACE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9AB4G.tmp\is-CO4G4.tmp
| MD5 | 2fba5642cbcaa6857c3995ccb5d2ee2a |
| SHA1 | 91fe8cd860cba7551fbf78bc77cc34e34956e8cc |
| SHA256 | ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa |
| SHA512 | 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c |
memory/5768-240-0x00000000008A0000-0x00000000008A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe
| MD5 | e43ed2f89335b4323450cc5a8b743a12 |
| SHA1 | 578aa2a3018d58c9162fe9fd4d30e65a352fe58e |
| SHA256 | 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214 |
| SHA512 | 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Lj226Mc.exe
| MD5 | e43ed2f89335b4323450cc5a8b743a12 |
| SHA1 | 578aa2a3018d58c9162fe9fd4d30e65a352fe58e |
| SHA256 | 462b13ad372a6c80aba06a0b94583199ecf97aa2122db642ee581f9ca5b96214 |
| SHA512 | 70d7c974f40c7b03608697fdfea69d3b5c1187683a78f0659c043264ff2ab2d508d80e76aa0814f5399b80de6ca5fb0a6c9517e67e350bdef70dfd4c2d37002f |
memory/5492-218-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
memory/752-281-0x00007FF9317A0000-0x00007FF932261000-memory.dmp
C:\Program Files (x86)\PA Previewer\previewer.exe
| MD5 | 27b85a95804a760da4dbee7ca800c9b4 |
| SHA1 | f03136226bf3dd38ba0aa3aad1127ccab380197c |
| SHA256 | f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245 |
| SHA512 | e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7 |
memory/3172-267-0x0000000008560000-0x0000000008576000-memory.dmp
memory/1564-301-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/4268-269-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ABJKV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-ABJKV.tmp\_isetup\_isdecmp.dll
| MD5 | b4786eb1e1a93633ad1b4c112514c893 |
| SHA1 | 734750b771d0809c88508e4feb788d7701e6dada |
| SHA256 | 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f |
| SHA512 | 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6 |
C:\Users\Admin\AppData\Local\Temp\is-ABJKV.tmp\_isetup\_isdecmp.dll
| MD5 | b4786eb1e1a93633ad1b4c112514c893 |
| SHA1 | 734750b771d0809c88508e4feb788d7701e6dada |
| SHA256 | 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f |
| SHA512 | 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6 |
memory/3120-196-0x00000000005B0000-0x000000000060A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
C:\Users\Admin\AppData\Local\Temp\F19C.exe
| MD5 | 264d1eb69bcce00fdf11a6a39472dd0a |
| SHA1 | e466c80da7f961743681b6dbdae3eaa0756a4dcd |
| SHA256 | a744a3c6231d68eb30fd4ec1c1deb3830b13b36d3c4bae9ebf03c3d1380b0f79 |
| SHA512 | f45a0da6d82081f787b385595c34a8abc6552d0e73dd393789f93a1b2910efc8ab413668d347726ae874c298c9c3ac458e7e422e98ad2bb3354b8c8563ecbed9 |
\??\pipe\LOCAL\crashpad_2756_MRBYOOLZJHZPRAIN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\PA Previewer\previewer.exe
| MD5 | 27b85a95804a760da4dbee7ca800c9b4 |
| SHA1 | f03136226bf3dd38ba0aa3aad1127ccab380197c |
| SHA256 | f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245 |
| SHA512 | e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7 |
memory/1564-305-0x0000000000400000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ss41.exe
| MD5 | 83330cf6e88ad32365183f31b1fd3bda |
| SHA1 | 1c5b47be2b8713746de64b39390636a81626d264 |
| SHA256 | 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e |
| SHA512 | e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908 |
C:\Users\Admin\AppData\Local\Temp\ss41.exe
| MD5 | 83330cf6e88ad32365183f31b1fd3bda |
| SHA1 | 1c5b47be2b8713746de64b39390636a81626d264 |
| SHA256 | 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e |
| SHA512 | e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7e90d8e3ee358d76e1b61461afd38382 |
| SHA1 | 4ccfd66a910e636d5e6e6b43c0fd2aae51e76f2c |
| SHA256 | 5a597e21b19923dbc4b558a2013f7bc28270e6e5aa232350a681ebdf3133b933 |
| SHA512 | e872909da1f308035e1ab6fe8037b9daa6042fdc45ee31779460d1c1a256938eb3ebfb190078b81f8539dac8f8f43b8e31e387bec08cc2fa7cf538fd63e9c6d4 |
C:\Program Files (x86)\PA Previewer\previewer.exe
| MD5 | 27b85a95804a760da4dbee7ca800c9b4 |
| SHA1 | f03136226bf3dd38ba0aa3aad1127ccab380197c |
| SHA256 | f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245 |
| SHA512 | e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7 |
memory/1572-318-0x0000000000400000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 328caccf7ec47324608980d7441528a4 |
| SHA1 | 4a000fb499c931fc1c533aa73f7021d9b901a3a7 |
| SHA256 | 9ec7d31d4fb0a470a6cefbcce408dc3e18b38b88a2ccfde86df20f2f19507e76 |
| SHA512 | 9d48de76cbe9e0f5bda6b54afb129c9adf70798980710bc82cf1452d7838124faa2b0ad27dbde1db5d6ae7c3715e7e1e459e07ca397245c3aaeb6e7f200bba64 |
memory/1044-327-0x0000000072D20000-0x00000000734D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f95638730ec51abd55794c140ca826c9 |
| SHA1 | 77c415e2599fbdfe16530c2ab533fd6b193e82ef |
| SHA256 | 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3 |
| SHA512 | 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | db82841e7995b12c02a7de2a78d5321d |
| SHA1 | 575169a40af2a601397bfd57b7a84d2be7c242eb |
| SHA256 | 8dde08ef07db7bea79981f4e7ff6b6bbabf1594f15d313e3d200d14a4d85d780 |
| SHA512 | 5f707c33a24b33f79173ab3a956e9869a6b9baa736fc165275c70b9e62a928fb35da4689d68417eec6b7a88f464b2af8c1b20d1fdc6236fc61f0352879127a2c |
memory/5768-361-0x000000001B5F0000-0x000000001B600000-memory.dmp
memory/4176-373-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5796-374-0x0000000000630000-0x0000000000631000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1cb6ce213b7bafd13de17a75bb7270a8 |
| SHA1 | 88a1ddec954076c5040a9d01eb7a18e52f0dec91 |
| SHA256 | 1c14dea5f0114df6fa123b78dd164fa839bb25b7b6949cc0bdefa2183676027b |
| SHA512 | c6a0a413c2e020b69ac9f78655730de862e765012207e9ca03f0ee9d754ff9e2403c5ead6c410ee6863d31a15c629251052eda3202df86fbee69173f592d8995 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | ac1d0471a91cedf5c34b7e584883dcd6 |
| SHA1 | 755466ee0171ae8bbaef362a50989617c5281514 |
| SHA256 | 456974f18d37871ecf326434d52830d6851f3bbff680c824be83ae99375f9157 |
| SHA512 | 7c92292d32836d3f6d59ea02bef8696082ff4e94d2e3cba7921ae9b5c7d6dfc34d4282d8e96ecff8dd1f22fb45d821b2bf899aa5e6fdfa74b3143a2bdb709cb9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 328caccf7ec47324608980d7441528a4 |
| SHA1 | 4a000fb499c931fc1c533aa73f7021d9b901a3a7 |
| SHA256 | 9ec7d31d4fb0a470a6cefbcce408dc3e18b38b88a2ccfde86df20f2f19507e76 |
| SHA512 | 9d48de76cbe9e0f5bda6b54afb129c9adf70798980710bc82cf1452d7838124faa2b0ad27dbde1db5d6ae7c3715e7e1e459e07ca397245c3aaeb6e7f200bba64 |
memory/5492-408-0x0000000000400000-0x0000000000413000-memory.dmp
memory/5468-415-0x0000000005000000-0x0000000005010000-memory.dmp
memory/5796-414-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/5736-416-0x0000000007AB0000-0x0000000007AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 27294b0fd780fcc9086b3c7e1872c3a4 |
| SHA1 | 8bf0e22f3578b15df2cdb4ac0997123574fc2d20 |
| SHA256 | ea770066551ac509b251a63c0ab1fcd372012b26607dc4448528bdcd2031d0ed |
| SHA512 | 52e573a1f570456cba929ec4af8e812e533d1be5aa70a77d1143c4bafa49338d28cb2eb76d0547d2ed78aa0208be3e2ae21ea57335686f88536fedf34c7aae0c |
memory/5468-417-0x0000000005510000-0x0000000005586000-memory.dmp
memory/5468-418-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/5468-420-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/5736-419-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/5768-421-0x00007FF9317A0000-0x00007FF932261000-memory.dmp
memory/4256-422-0x0000000002D50000-0x0000000002EC1000-memory.dmp
memory/4256-423-0x0000000002ED0000-0x0000000003001000-memory.dmp
memory/3120-424-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1572-425-0x0000000000400000-0x000000000298D000-memory.dmp
memory/1044-427-0x0000000007270000-0x0000000007280000-memory.dmp
memory/3120-429-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3271f1f5dca82897afe7980eeffb53b3 |
| SHA1 | 9fb550d852555bfdd637a9a88171062b7d925ea2 |
| SHA256 | cc533c0eb7811fcff701e2908483d5c3ea334034b8214b82c7f8225bb4fd8fa0 |
| SHA512 | 446f96a737e15b06ce04f6dde0564d3ebb6a9ba572c7bd9ba94c6c02c611ece189f83b3ea0be05224548b8d73cda3fc5a97d72261463621a1575e8da11bd5006 |
memory/1728-461-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/1728-462-0x00000000049A0000-0x00000000049D6000-memory.dmp
memory/2552-463-0x0000000072D20000-0x00000000734D0000-memory.dmp
memory/1728-464-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/1728-466-0x0000000005060000-0x0000000005688000-memory.dmp
memory/2552-467-0x0000000007460000-0x0000000007470000-memory.dmp
memory/1728-465-0x0000000004A20000-0x0000000004A30000-memory.dmp
memory/1728-474-0x0000000005010000-0x0000000005032000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qemjz1ff.iqb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1728-486-0x00000000059E0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae492b883bbcbd2b2e2722426d42b34f |
| SHA1 | 889c62a0eeee15ddea7283405c67b5f1f6825f9d |
| SHA256 | 3662b08e5727eb1290cd219deac11298c77106c91dc851be7c34c619ae876732 |
| SHA512 | ea7dee57373ce82ed61c098ff0d24965463276cfa18453e5da08bb64e5404d42884d770e972a3d5cba9f37d1e9aef4634e896b9d365481742207ea8f0247528a |
memory/1728-493-0x0000000005AC0000-0x0000000005E14000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b27cd6c547d785dc4e2bafd0e288719e |
| SHA1 | f8510dfc1fb0533314c63289cc5ff72928e2f62a |
| SHA256 | 7b30793b267dd64b799e77b68830e0f60220460e21bb438d3ce88a5aa57d5201 |
| SHA512 | 4cf687b433cf409cd119bca04f7f4970e9f046ecef0483bd9638c459182ac2986e9620f09673940280cae5964f37d6b6f3fd761e100196a716f9fded0fb895a8 |
memory/1728-511-0x0000000005F70000-0x0000000005F8E000-memory.dmp
memory/5468-540-0x0000000006650000-0x0000000006812000-memory.dmp
memory/1572-542-0x0000000004660000-0x0000000004A59000-memory.dmp
memory/4176-570-0x0000000000400000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/1572-587-0x0000000000400000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a23ab9a3ac084f9353fbfa478f18252c |
| SHA1 | ce09d657685b5ae44945a04f5c5801f16670aea0 |
| SHA256 | dd178dd0a9a27be15f7b8d626210fa973dccb07dbc3c30aa39318312db96c4f2 |
| SHA512 | 834e4734ae22e2a36c614001793aeb5f4be33f2c135042776375e024b538072ff8b71d2c5e94a487389ee00e8f4d1bc4d4acae8b9e188952f2f4bbc14ce0de96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3915ce854425ef0dfd507889e8a953a3 |
| SHA1 | 1543e4b9b8996348b8af06229440f67edbf7c5d9 |
| SHA256 | a4613093e632cc477839fe5c01b445a161c8142752d5e7bc81746c0d38335e3f |
| SHA512 | 740b14c87ae10cd5459deb47fe376c41a3ab79093b1f020458601a35e2fe2faa52c330cf3f21dba1eb9aab51b090f185fc68c86bc60a9575826197872d98b6f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 1b892f2510f22aa408a5f42a507d6235 |
| SHA1 | 3154dc1a25cb54daf661870f7d76836ff12b625e |
| SHA256 | 516b13e9105c39fd605cab6996b8af12aed0b85208e1a2a9bee03ba764998b34 |
| SHA512 | b0790594834751363bc22037c2ea1aff1b67e5b06420bd78533a89ad862b39b84f1b7b8ee0c1879ec827afd22f10660da9720f5108ecdc45a44560088898bab3 |
memory/1572-684-0x0000000000400000-0x000000000298D000-memory.dmp
memory/4176-685-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5008-714-0x0000000000400000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/4176-754-0x0000000000400000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 295efb8ae8c0c90eb1beb855f67d7629 |
| SHA1 | 460867f08233cfdadefaf167673a42332f880238 |
| SHA256 | ff35eaecd17decbeb15c36784d2a75f2f1e77a37955842e29d0fa524a0943cc3 |
| SHA512 | fa156609df328f315033f8a64690936712dfc72807965a15f5dce06c5fa72d7d7db352e102a3fd5ffc8b0d59bc1ed699e0bd79bcd3407b1d5aecaa8f529fa0b7 |
memory/5008-781-0x0000000000400000-0x000000000298D000-memory.dmp
memory/4176-826-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5284-857-0x0000000000400000-0x000000000298D000-memory.dmp
memory/4176-878-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5284-889-0x0000000000400000-0x000000000298D000-memory.dmp
memory/4176-893-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5284-898-0x0000000000400000-0x000000000298D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 35da912ba18d545a265fdfa52bdaf6e6 |
| SHA1 | 61b04079ef5fe08adaf600fac1b2755792e6d7c7 |
| SHA256 | ed644232af28482e6dddd09198f1f0e061dc5cbb5962f4cad2b9e124aac582e0 |
| SHA512 | a26f1db1c38ff1f2eb5e9ba460191470ddbeb0231bfbdcda5dd9d49496282bdea0dc0fcb0bd223b9b26908a8bb3c2379cdd3cc068b369b4e8a534bc94d3c299c |