Malware Analysis Report

2025-06-16 02:08

Sample ID 231002-jtt88shh98
Target 3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a
SHA256 3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a
Tags
amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot genda up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a

Threat Level: Known bad

The file 3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a was found to be: Known bad.

Malicious Activity Summary

amadey dcrat fabookie glupteba healer mystic redline smokeloader @ytlogsbot genda up3 backdoor google discovery dropper evasion infostealer loader persistence phishing rat rootkit spyware stealer trojan

Fabookie

Amadey

Mystic

Detects Healer an antivirus disabler dropper

DcRat

Modifies Windows Defender Real-time Protection settings

Healer

Glupteba payload

Detected google phishing page

RedLine payload

RedLine

Windows security bypass

Glupteba

SmokeLoader

Detect Fabookie payload

Downloads MZ/PE file

Modifies Windows Firewall

Checks computer location settings

Uses the VBS compiler for execution

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-02 07:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 07:58

Reported

2023-10-02 08:00

Platform

win10-20230915-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected google phishing page

phishing google

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E573.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCB5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\273.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\awiavev N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egiavev N/A
N/A N/A C:\Users\Admin\AppData\Roaming\egiavev N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DD9E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-4SI3K.tmp C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-U0RNJ.tmp C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-HK4PK.tmp C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-SFMR4.tmp C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egiavev N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egiavev N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\egiavev N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 204cb96206f5d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "402998493" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000e71089150fc8bd5a81fe3ab1f846e193dfa944f033cd076a2c7f263c381502030f4f78c494adea940f6e44a084d1a7f7cea55f277fa42fc1265b C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{603B7753-C8DE-4FB4-B426-39188C2BF46B} = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1157c56206f5d901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E38E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe
PID 2916 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe
PID 2916 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe
PID 5088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe
PID 5088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe
PID 5088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe
PID 1016 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe
PID 1016 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe
PID 1016 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe
PID 4584 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe
PID 4584 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe
PID 4584 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2984 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3264 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe
PID 3264 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe
PID 3264 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe
PID 3264 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 3264 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 3264 wrote to memory of 3828 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe
PID 2668 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 2668 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 2668 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\DD9E.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe
PID 3244 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe
PID 3244 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe
PID 3244 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe
PID 3264 wrote to memory of 3840 N/A N/A C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 3840 N/A N/A C:\Windows\system32\cmd.exe
PID 292 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe
PID 292 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe
PID 292 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe
PID 1528 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe
PID 1528 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe
PID 1528 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe
PID 3048 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe
PID 3048 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe
PID 3048 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe
PID 3264 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe
PID 3264 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe
PID 3264 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3828 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\DEC8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3264 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\E38E.exe
PID 3264 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\E38E.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4180 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\E13B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe

"C:\Users\Admin\AppData\Local\Temp\3b547cb968c1ba2040f31b8bc14de9baafd033203b50e7b50860896981fa7c4a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 148

C:\Users\Admin\AppData\Local\Temp\DD9E.exe

C:\Users\Admin\AppData\Local\Temp\DD9E.exe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DFF2.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

C:\Users\Admin\AppData\Local\Temp\E13B.exe

C:\Users\Admin\AppData\Local\Temp\E13B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 360

C:\Users\Admin\AppData\Local\Temp\E38E.exe

C:\Users\Admin\AppData\Local\Temp\E38E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 144

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\E573.exe

C:\Users\Admin\AppData\Local\Temp\E573.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 588

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\FCB5.exe

C:\Users\Admin\AppData\Local\Temp\FCB5.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\273.exe

C:\Users\Admin\AppData\Local\Temp\273.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp" /SL4 $20338 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\awiavev

C:\Users\Admin\AppData\Roaming\awiavev

C:\Users\Admin\AppData\Roaming\egiavev

C:\Users\Admin\AppData\Roaming\egiavev

C:\Users\Admin\AppData\Roaming\egiavev

C:\Users\Admin\AppData\Roaming\egiavev

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.25.221.88.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 d654025b-3b61-4b34-92d4-24edecb2f990.uuid.ramboclub.net udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 88.221.24.81:443 www.bing.com tcp
NL 88.221.24.81:443 www.bing.com tcp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 81.24.221.88.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server2.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server2.ramboclub.net tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
US 8.8.8.8:53 109.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe

MD5 9b102628fe5d842ed5dbf5214bc8e0e6
SHA1 0f6340cf591a3f39f94d8227fe111c4741f63861
SHA256 61d576f06e853a60df66f6859ec34734a0832bf7340a3c241fdb04c6c11ade3a
SHA512 e1e6f5eed333093a904216837f7ccee340093bc3546591b2afaec6181e786b4ca340792de0540e1c0c1fd45f060e2671587c2a902a410d38c0f8404d90eb6b6e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ss3mK45.exe

MD5 9b102628fe5d842ed5dbf5214bc8e0e6
SHA1 0f6340cf591a3f39f94d8227fe111c4741f63861
SHA256 61d576f06e853a60df66f6859ec34734a0832bf7340a3c241fdb04c6c11ade3a
SHA512 e1e6f5eed333093a904216837f7ccee340093bc3546591b2afaec6181e786b4ca340792de0540e1c0c1fd45f060e2671587c2a902a410d38c0f8404d90eb6b6e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe

MD5 127fcbfccaf39e3820619d9a849f42e6
SHA1 ffe7acc436d0a4d02b6678621d18c0aadf714d1a
SHA256 bb7da2791ec5088e17bda787f3e3dc1d418c73bd1e1f3a60378731f732e2a1e6
SHA512 b516270f07a18acc8e91f38da911d022dd78e97a26548d32ba3eb6951186ecdb94ad64f4033c93c5b6a936b78ea2e748cfbd1f3f3760c88a61f0ba3e0b3ae0f6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hR0xs86.exe

MD5 127fcbfccaf39e3820619d9a849f42e6
SHA1 ffe7acc436d0a4d02b6678621d18c0aadf714d1a
SHA256 bb7da2791ec5088e17bda787f3e3dc1d418c73bd1e1f3a60378731f732e2a1e6
SHA512 b516270f07a18acc8e91f38da911d022dd78e97a26548d32ba3eb6951186ecdb94ad64f4033c93c5b6a936b78ea2e748cfbd1f3f3760c88a61f0ba3e0b3ae0f6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe

MD5 14610822e185c65e8aadb4bb3e575a46
SHA1 3888e89b64692045a154425be8ea46e5783ddcc5
SHA256 c0445902ba02c8f8374b02dca3cec99f3d564a8e69e258ebcd644983252d0863
SHA512 5bc847ba314eb880975d4d1d91c1d635f2131401936665f691b4bb1519bede840466f503b2c1f17deadb25e07e457d564e9b0ee01aae011542c8dee5349bd922

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0ly05.exe

MD5 14610822e185c65e8aadb4bb3e575a46
SHA1 3888e89b64692045a154425be8ea46e5783ddcc5
SHA256 c0445902ba02c8f8374b02dca3cec99f3d564a8e69e258ebcd644983252d0863
SHA512 5bc847ba314eb880975d4d1d91c1d635f2131401936665f691b4bb1519bede840466f503b2c1f17deadb25e07e457d564e9b0ee01aae011542c8dee5349bd922

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe

MD5 b6b1ae3b1ed4c27d3391bb45a68aa296
SHA1 9558ebaaf57a82c6d771e0b9fb7032adaf8953d9
SHA256 b7c63ee3257b4a14b771aead80ead3f62d04cc069d1ae8c3d6f09bd10371eb7e
SHA512 05afa5a71c25478469738657d9c06a59d9627a003942c14799158184e153d465262a19bc8a5626b31e48778eaee5a244b3a0e5ba35e7a1aade64bc07f9c687e5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\0292190.exe

MD5 b6b1ae3b1ed4c27d3391bb45a68aa296
SHA1 9558ebaaf57a82c6d771e0b9fb7032adaf8953d9
SHA256 b7c63ee3257b4a14b771aead80ead3f62d04cc069d1ae8c3d6f09bd10371eb7e
SHA512 05afa5a71c25478469738657d9c06a59d9627a003942c14799158184e153d465262a19bc8a5626b31e48778eaee5a244b3a0e5ba35e7a1aade64bc07f9c687e5

memory/2656-28-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2656-31-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3264-32-0x0000000000480000-0x0000000000496000-memory.dmp

memory/2656-33-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD9E.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\DD9E.exe

MD5 099b3d4378bb94aa106135ed1fc4d922
SHA1 2f9609032c3aea88a01321ce705a5fcded2a74d8
SHA256 271baf68891b775c19ff448ad18177a1dd25956d7a8d6c9a1a04cd454b84f9db
SHA512 50ce310246854d65e902f0d8e586732e2d94d4b9f713edf4be070a2d1de57bd551f885cc5d3df869180aa0d9e0920ca2d474f3919281025340e750249a06fdfe

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Gs2nk2Lc.exe

MD5 a67fb4171f897930464e5f48ca226432
SHA1 596933d03d071a6653c67e01cc047c934649aba2
SHA256 28038eb5c01bf791e49727f20826e6fad223d116b70238261696539425719669
SHA512 6ffa5b0a6ff9c514c001dc407c4ca5ba69c5bb9337296387dde3fba167e5b7935885565dab84260e8d2ad380a6dff83e92a0650272563c48bcb38923b09d6c52

C:\Users\Admin\AppData\Local\Temp\DEC8.exe

MD5 681a1edcbe145ff2480a0eff775117f0
SHA1 9d3ac177ae0166f168b06711c10495065ac460f5
SHA256 c55d8e4cc82489e37fdef80c7c9438e99d43f877bcdeb0fefa9cd077fdd4ee41
SHA512 4abe92527b95af849140c2fa8c192d0bf14adb1d5ddd5d339d6047b5b8371fa2b8a856490902ba06bf9c6cabae257cadc0be525ea76d6202da020ca698fa23e4

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\IN4Tk4cT.exe

MD5 24a8217ddd7bb28c2aabe78e51ae4b7c
SHA1 3a521565cd894883b72b73bdfc2053aa1a60bbf6
SHA256 8a379a26434d4c79d0dd51288fbeb8227f665cdfb02742de105a9b1a7f8f1d7b
SHA512 5a17a45a5e8ac9b0bf76686751fe061482f4b43eb23b2f954b26c49313013ea419921eb46d6e98d84056767e1af72cb105c1cf3bf39c1ab5583c8f325df8a903

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\cY6Eg9xY.exe

MD5 852c0f3c1b7ce4d69fffd93b5e02a93f
SHA1 d58b19886548efa210002ff03eb900c336c5d2e2
SHA256 ddbfe58547bb89c62e41eb7e04df2db155ae635a410982eccdd03364d72570fa
SHA512 ea9820107653520c862447f51c600094e37c6ef711eb55c071f830d0c559b34cb535099083d03b52efb322bf1426ebdc42c6645e70ccf9c151edf447538a2df4

C:\Users\Admin\AppData\Local\Temp\DFF2.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\Ps1dG7Lt.exe

MD5 7f6112421b9caa7f2b9f690297d3dc26
SHA1 de8a94e43e7943fef6a2d5e27b87a334fb30fb89
SHA256 753df5549a1e75d223204cf4f8979bbaad9086a0cdf3182cac159550e98f12c0
SHA512 0f8de918907e1ea96c1758c4157ce85ef10039ebdb901f65c7a68cc7696bbf6d1b085d2f650677b9337407cc8409b7fd4b3d224e52d6efb42b234b1df058a1bb

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\IM2ly51.exe

MD5 6de25e4bd7e214f28e993a708dd8a3fe
SHA1 c7dde639c9b312d47acf3ff82a965a321294622b
SHA256 e8e358201efff005592a27f48dcafb7cfe9a12bb2840ce96350eab806ef00003
SHA512 93b3c6b5380c3d4e59c5da69ba7f17d2246e1f9fe8351ca3877bcaf8fe6701dce845f064cb2a2e3a25a0b329d8c665a2fa15933543cae850a220cc3179ac38f7

C:\Users\Admin\AppData\Local\Temp\E13B.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

C:\Users\Admin\AppData\Local\Temp\E13B.exe

MD5 e807b615389cd0c7d8d2334b0eb6fd86
SHA1 f84e547a8e30c1a31ecf3e0f71f98bd3f246e74f
SHA256 512ac913ac02033f24682c72c5ba10d3d304e9dbfec5ce0f528bd9024851dbcc
SHA512 97814ec9ec09438f6f83d3ac4d6793a4b2338585f5945e90ba3f2faf656a756c99701366b0b9e947269158b8455742ae3e74a91fdda7c8f1f8863e5563045069

memory/4676-90-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4676-93-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4676-94-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4676-95-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E38E.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1800-100-0x0000000000150000-0x000000000015A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E38E.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/504-101-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Jn21gx.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

memory/1800-109-0x00007FFC87BD0000-0x00007FFC885BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\E573.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/504-119-0x0000000072230000-0x000000007291E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E573.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\LI279Qb.exe

MD5 30dd294af58c1b8e5b95055f90755d5a
SHA1 84dfdbaf07fc2803450a3857e81128c86da01aaf
SHA256 8bdbc5b417eb2e0931735842f6e9d656704e36e37ae15c84ad5f36f2e8170ad2
SHA512 9b0010115567db9c019c32d02809fd72d631b50efedba77a333dbdb65ffa6a6a56b2130e7bd45db93e283863691206b96ff9ef2babed414dede5995df9f73f29

memory/504-123-0x000000000B870000-0x000000000BD6E000-memory.dmp

memory/504-124-0x000000000B410000-0x000000000B4A2000-memory.dmp

memory/504-125-0x000000000B3A0000-0x000000000B3B0000-memory.dmp

memory/504-127-0x000000000B3D0000-0x000000000B3DA000-memory.dmp

memory/1588-126-0x00000148DF220000-0x00000148DF230000-memory.dmp

memory/504-134-0x000000000C380000-0x000000000C986000-memory.dmp

memory/504-139-0x000000000B710000-0x000000000B81A000-memory.dmp

memory/504-141-0x000000000B620000-0x000000000B632000-memory.dmp

memory/2524-145-0x0000000072230000-0x000000007291E000-memory.dmp

memory/504-144-0x000000000B680000-0x000000000B6BE000-memory.dmp

memory/504-148-0x000000000B6C0000-0x000000000B70B000-memory.dmp

memory/1588-153-0x00000148DF600000-0x00000148DF610000-memory.dmp

memory/1588-180-0x00000148DE4A0000-0x00000148DE4A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCB5.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

C:\Users\Admin\AppData\Local\Temp\FCB5.exe

MD5 3c81534d635fbe4bfab2861d98422f70
SHA1 9cc995fa42313cd82eacaad9e3fe818cd3805f58
SHA256 88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f
SHA512 132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/5108-199-0x00007FF7CD1D0000-0x00007FF7CD23A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\273.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

memory/2172-210-0x0000000002620000-0x0000000002629000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/1712-218-0x0000000000960000-0x0000000000B1D000-memory.dmp

memory/3256-219-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1800-216-0x00007FFC87BD0000-0x00007FFC885BC000-memory.dmp

memory/504-221-0x0000000072230000-0x000000007291E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4316-226-0x0000000000470000-0x00000000005E4000-memory.dmp

memory/4932-228-0x0000000004530000-0x000000000492C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\273.exe

MD5 965fcf373f3e95995f8ae35df758eca1
SHA1 a62d2494f6ba8a02a80a02017e7c347f76b18fa6
SHA256 82eab1b2cab9f16d77c242e4ff1eb983d7e0a64b78b5dc69d87af2a4016f4f39
SHA512 55e9fefbe2a1ed92034573f3c4bb03fe29b0d345ebe834f2f9192d5ddd2237f1bb8e4fb5f9516852e7e0efa42a3122a11d2f0db7c9633b1566901cdd7862ff52

memory/3256-215-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2172-208-0x0000000002810000-0x0000000002910000-memory.dmp

memory/1800-240-0x00007FFC87BD0000-0x00007FFC885BC000-memory.dmp

memory/4932-241-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5000-242-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4316-244-0x0000000072230000-0x000000007291E000-memory.dmp

memory/4932-248-0x0000000004A30000-0x000000000531B000-memory.dmp

memory/504-250-0x000000000B3A0000-0x000000000B3B0000-memory.dmp

memory/1712-252-0x0000000000960000-0x0000000000B1D000-memory.dmp

memory/5000-254-0x0000000072230000-0x000000007291E000-memory.dmp

memory/5000-255-0x00000000058A0000-0x00000000058A6000-memory.dmp

memory/2524-259-0x0000000072230000-0x000000007291E000-memory.dmp

memory/5108-260-0x00000000030F0000-0x0000000003261000-memory.dmp

memory/5108-261-0x0000000003270000-0x00000000033A1000-memory.dmp

memory/5000-262-0x0000000009970000-0x0000000009980000-memory.dmp

memory/3264-268-0x0000000002370000-0x0000000002386000-memory.dmp

memory/3256-269-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4496-278-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1896-288-0x0000000000190000-0x0000000000198000-memory.dmp

memory/1896-291-0x00007FFC88440000-0x00007FFC88E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1896-294-0x000000001AE30000-0x000000001AE40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A3TFO.tmp\is-TNBN7.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/4316-296-0x0000000072230000-0x000000007291E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GEOHG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-GEOHG.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

\Users\Admin\AppData\Local\Temp\is-GEOHG.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/2872-315-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4320-329-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4932-330-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4320-334-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4932-333-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1828-338-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4932-337-0x0000000004530000-0x000000000492C000-memory.dmp

memory/5000-345-0x000000000F040000-0x000000000F0B6000-memory.dmp

memory/5000-351-0x000000000F200000-0x000000000F266000-memory.dmp

memory/1712-350-0x0000000000960000-0x0000000000B1D000-memory.dmp

memory/5000-398-0x0000000072230000-0x000000007291E000-memory.dmp

memory/5000-396-0x00000000104F0000-0x00000000106B2000-memory.dmp

memory/4984-399-0x000001C70B160000-0x000001C70B162000-memory.dmp

memory/4984-401-0x000001C70B180000-0x000001C70B182000-memory.dmp

memory/5000-402-0x0000000010BF0000-0x000000001111C000-memory.dmp

memory/4984-408-0x000001C71BB20000-0x000001C71BB22000-memory.dmp

memory/4984-434-0x000001C71C310000-0x000001C71C312000-memory.dmp

memory/4984-445-0x000001C71C330000-0x000001C71C332000-memory.dmp

memory/5108-453-0x0000000003270000-0x00000000033A1000-memory.dmp

memory/1896-476-0x00007FFC88440000-0x00007FFC88E2C000-memory.dmp

memory/5000-502-0x0000000009970000-0x0000000009980000-memory.dmp

memory/4496-582-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4RPAM05V\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/5000-848-0x0000000010420000-0x0000000010470000-memory.dmp

memory/4720-892-0x0000000072230000-0x000000007291E000-memory.dmp

memory/4720-896-0x0000000004430000-0x0000000004466000-memory.dmp

memory/4720-898-0x00000000066E0000-0x00000000066F0000-memory.dmp

memory/4720-904-0x0000000006D20000-0x0000000007348000-memory.dmp

memory/4720-913-0x0000000006A60000-0x0000000006A82000-memory.dmp

memory/4720-919-0x0000000007450000-0x00000000074B6000-memory.dmp

memory/4720-927-0x00000000074C0000-0x0000000007810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxazfiyn.g5c.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 06e9db049239b88264bb41e6c189c2db
SHA1 6c2028fd438f4a298535ce0a4f1273d5b325e008
SHA256 b221c79a82cf13f8c59431aad31a64d7619b05f76c9b69895afcb425f121c74c
SHA512 a09cccaebb53a6ebf1559ffa151b2893a2ec974b72465c0dd34409df86d20b9a38d3d398ca8789744b5c1007423ec994cf74ba369e2e53d47eaf0330c5bad50d

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 423974b792075d8d2ab0d07d1a569e09
SHA1 50f0e7e96520dd4882eacf19f3c525d9787eb104
SHA256 20d4619ddd6cac4c0316413d6129aae24dfef6c1ecfba1d9d7c43fc2a6998698
SHA512 c8ee97e9785f6cdf239e6d97bff762981347a9849ed0c6583130b0601cec069b69c314866d4a4b0e54936ac76791310e34bb3ec0745ebc8967b412673a7b3b36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6dbbc6b9ef15b3d0da0d70eb9305430a
SHA1 c86630c69a20b9300fb6b0beefadb9a099c50e3a
SHA256 f4062751bfa02d396b6f03f66fd6a8b5a5b44671ebb9278f59f20b8c336f5b2b
SHA512 d91cdb16f18410e56a3f72b666ddff829951b9814192c317c84604f25bc5916196aeb7c51fd252404b1e6515d356a9583e05f4ec22e7c804f163f11f0bc9fea2

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2b06e94ffb5f2a40288a4b77d98cada2
SHA1 81da1ec616fa59bd61f26c75dd0b4a7d265cf452
SHA256 a5129dc59ddeee8074c92ceafa6bf5f0dbe36cc4f1d29fae41db18fd34d80442
SHA512 550e0d49ebe4ad4099d397f644d180999a5253450ae32777a8a529de25d9a8067f9c8f9006917fe7b73bddd7a142553979a2f26097917150da1263102ab7f28a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0G1F2NWK\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Roaming\egiavev

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Windows\rss\csrss.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\UCVUWTY4\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee