Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-c622aahg39
Target 6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264
SHA256 6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264
Tags
amadey dcrat glupteba healer mystic redline smokeloader @ytlogsbot jordan larek up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264

Threat Level: Known bad

The file 6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba healer mystic redline smokeloader @ytlogsbot jordan larek up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan

Healer

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

SmokeLoader

RedLine payload

RedLine

Amadey

Mystic

DcRat

Glupteba payload

Glupteba

Downloads MZ/PE file

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Executes dropped EXE

Manipulates WinMonFS driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Runs net.exe

Enumerates system info in registry

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 02:42

Reported

2023-10-03 02:44

Platform

win10v2004-20230915-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4900.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40AE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41C8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44D7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4900.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Dc044iF.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E8D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\PercentGroupSizes\clmlezi\IsPublic.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\40AE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-6UHP6.tmp C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-TNI56.tmp C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-GV56E.tmp C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-ROR18.tmp C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\46AD.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3248 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe
PID 3248 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe
PID 3248 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe
PID 3148 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe
PID 3148 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe
PID 3148 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe
PID 4240 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe
PID 4240 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe
PID 4240 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe
PID 4308 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe
PID 4308 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe
PID 4308 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe
PID 4308 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe
PID 4308 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4820 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe
PID 4240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe
PID 4240 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2252 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3148 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe
PID 3148 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe
PID 3148 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2820 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe
PID 3248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe
PID 3248 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe
PID 2108 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe C:\Windows\system32\cmd.exe
PID 2108 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 3384 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5036 wrote to memory of 3804 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3804 wrote to memory of 3788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3804 wrote to memory of 3788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3384 wrote to memory of 4236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe

"C:\Users\Admin\AppData\Local\Temp\6d28a56ee4e2b61e22aff0d08fce3ed3cdcbbaa96d1067bba5232418ccfa9264.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4820 -ip 4820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4712 -ip 4712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 592

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2252 -ip 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EE57.tmp\EE58.tmp\EE59.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x144,0x178,0x7ff8c88a46f8,0x7ff8c88a4708,0x7ff8c88a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8c88a46f8,0x7ff8c88a4708,0x7ff8c88a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,18356668600527153737,7688936818805395671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18356668600527153737,7688936818805395671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\40AE.exe

C:\Users\Admin\AppData\Local\Temp\40AE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe

C:\Users\Admin\AppData\Local\Temp\41C8.exe

C:\Users\Admin\AppData\Local\Temp\41C8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\434F.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe

C:\Users\Admin\AppData\Local\Temp\44D7.exe

C:\Users\Admin\AppData\Local\Temp\44D7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4040 -ip 4040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 416

C:\Users\Admin\AppData\Local\Temp\46AD.exe

C:\Users\Admin\AppData\Local\Temp\46AD.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2720 -ip 2720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5188 -ip 5188

C:\Users\Admin\AppData\Local\Temp\4900.exe

C:\Users\Admin\AppData\Local\Temp\4900.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 112 -ip 112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 148

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Dc044iF.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Dc044iF.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8c88a46f8,0x7ff8c88a4708,0x7ff8c88a4718

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c88a46f8,0x7ff8c88a4708,0x7ff8c88a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\5A95.exe

C:\Users\Admin\AppData\Local\Temp\5A95.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\5E8D.exe

C:\Users\Admin\AppData\Local\Temp\5E8D.exe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\62E4.exe

C:\Users\Admin\AppData\Local\Temp\62E4.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UUGRP.tmp\is-TOBHC.tmp" /SL4 $1501B4 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6044 -ip 6044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 792

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Users\Admin\AppData\Local\Temp\72B3.exe

C:\Users\Admin\AppData\Local\Temp\72B3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9657319375122597719,13471471957109269319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\72B3.exe

C:\Users\Admin\AppData\Local\Temp\72B3.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\PercentGroupSizes\clmlezi\IsPublic.exe

C:\Users\Admin\AppData\Local\PercentGroupSizes\clmlezi\IsPublic.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 fbsbx.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 95.214.25.204:80 95.214.25.204 tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 204.25.214.95.in-addr.arpa udp
NL 89.208.107.31:80 89.208.107.31 tcp
US 8.8.8.8:53 31.107.208.89.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 b3474776-706e-4385-a873-940fe32deb01.uuid.ramboclub.net udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server2.ramboclub.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server2.ramboclub.net tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 mastertryprice.com udp
US 172.67.212.103:443 mastertryprice.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 103.212.67.172.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 datasheet.fun udp
US 172.67.166.109:80 datasheet.fun tcp
US 8.8.8.8:53 109.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe

MD5 0ada65d0392c41ac7f016dac35f0d964
SHA1 96f7ade88b286d39554745fc610d838b32ca7c26
SHA256 dfae419a6b03f6d314b499e76ce743617dd401f89da88b48b930be600afe8e90
SHA512 ee539cfeb0248cd1b9f54f97f291368aac33ac50ddf407b9fcb1c840ddb25337b36e8d8427b29fcf05eabbb15728cc2c60f476355303c874fa412003db76dd28

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pD1jX67.exe

MD5 0ada65d0392c41ac7f016dac35f0d964
SHA1 96f7ade88b286d39554745fc610d838b32ca7c26
SHA256 dfae419a6b03f6d314b499e76ce743617dd401f89da88b48b930be600afe8e90
SHA512 ee539cfeb0248cd1b9f54f97f291368aac33ac50ddf407b9fcb1c840ddb25337b36e8d8427b29fcf05eabbb15728cc2c60f476355303c874fa412003db76dd28

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe

MD5 ec8b7bfe3837916a3ceec5c0ebb78f6d
SHA1 0bd76a2ac3d0f2ea8a7009c6b4c726561ff296d9
SHA256 9107800a61f235dc89a5f8249d54636e4502b051ef48d53079da9c6682c2f25c
SHA512 e0896c92f4019cb8fa60364095bb724ec323789df127a5a46860d6a32248f989d260a680947c9225e710bd694b256f3e98c063d78c8cdc9ad8eb0b3b24529f82

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yx2No47.exe

MD5 ec8b7bfe3837916a3ceec5c0ebb78f6d
SHA1 0bd76a2ac3d0f2ea8a7009c6b4c726561ff296d9
SHA256 9107800a61f235dc89a5f8249d54636e4502b051ef48d53079da9c6682c2f25c
SHA512 e0896c92f4019cb8fa60364095bb724ec323789df127a5a46860d6a32248f989d260a680947c9225e710bd694b256f3e98c063d78c8cdc9ad8eb0b3b24529f82

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe

MD5 d06bd70eae0b23398a1239872b14a4d8
SHA1 60b4d41b254dc195f1386396df9b9b05b4ea321c
SHA256 47995ac1d30383560366a285053f288860e0dd3cd00be4e940e02b27cc56e2a2
SHA512 bad0e19fb3a8545b96ce44e9c67f41c8971b5eeb1c63b7b6a3413ad34f13e435840296125f8a4463eded566aea9add109ba6a54fe0cc2c1dd4ee6b93fe61b4af

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gk6tv04.exe

MD5 d06bd70eae0b23398a1239872b14a4d8
SHA1 60b4d41b254dc195f1386396df9b9b05b4ea321c
SHA256 47995ac1d30383560366a285053f288860e0dd3cd00be4e940e02b27cc56e2a2
SHA512 bad0e19fb3a8545b96ce44e9c67f41c8971b5eeb1c63b7b6a3413ad34f13e435840296125f8a4463eded566aea9add109ba6a54fe0cc2c1dd4ee6b93fe61b4af

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe

MD5 1408fde498e2a4008d679e88ca4fd9d8
SHA1 1090adb6dce377b4a1e6419852d6653dc5feca76
SHA256 f45dd5e526020c3ebc786db63bfcfe5581d776c192ac54b7196bdfe9b9e53598
SHA512 72674be34dc46fca94398cb1e5755c393be51f75594b7e92325be910a2dd19dc99f8b1a89e9adef0d67d278fdd617f70c58a0f5c64b2591e9a1927bd9c682072

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1rK37DW6.exe

MD5 1408fde498e2a4008d679e88ca4fd9d8
SHA1 1090adb6dce377b4a1e6419852d6653dc5feca76
SHA256 f45dd5e526020c3ebc786db63bfcfe5581d776c192ac54b7196bdfe9b9e53598
SHA512 72674be34dc46fca94398cb1e5755c393be51f75594b7e92325be910a2dd19dc99f8b1a89e9adef0d67d278fdd617f70c58a0f5c64b2591e9a1927bd9c682072

memory/4572-28-0x0000000000560000-0x000000000056A000-memory.dmp

memory/4572-29-0x00007FF8BDC10000-0x00007FF8BE6D1000-memory.dmp

memory/4572-31-0x00007FF8BDC10000-0x00007FF8BE6D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe

MD5 13f89dd0b3e5c439f324930e406a5bda
SHA1 bda6c49c22abcdb7839cfff56b40d53eed6359dd
SHA256 817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc
SHA512 a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Sc7101.exe

MD5 13f89dd0b3e5c439f324930e406a5bda
SHA1 bda6c49c22abcdb7839cfff56b40d53eed6359dd
SHA256 817bc048781e236e42702521f82550b1a85060fa1e4a0caf08a6547c35baa4bc
SHA512 a02c15161d82db9219a69e38e336ab1a2c3e7e77aa16e7f614219d5859ea37e7d38e4372a7adbaf146508713d96781eebced31624ebbdecb58c9820859bafe28

memory/4712-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4712-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4712-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4712-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe

MD5 65c1940a3006d6c3f605fb30c8508e3a
SHA1 2635f82ff0b70bd695e325f1ae1ef023086d5b1e
SHA256 433c0544769ac25f7db7d2cb1cca0e814a91e026dae465ce923421ebd45ea58a
SHA512 3963a4d68dd334de86dcfea531691d993a701bdfa2991006167679800bbff914f4eff51eeea1055866cdec9da0420e9c8aa8472ec8b43b3a9ff8351e29505e82

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3ie39KX.exe

MD5 65c1940a3006d6c3f605fb30c8508e3a
SHA1 2635f82ff0b70bd695e325f1ae1ef023086d5b1e
SHA256 433c0544769ac25f7db7d2cb1cca0e814a91e026dae465ce923421ebd45ea58a
SHA512 3963a4d68dd334de86dcfea531691d993a701bdfa2991006167679800bbff914f4eff51eeea1055866cdec9da0420e9c8aa8472ec8b43b3a9ff8351e29505e82

memory/4628-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4628-44-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe

MD5 93298077e29ddff80c80bd6954a6f4b0
SHA1 76ec90448e2360ff9fd7ccb966a106d8eb3591fb
SHA256 71b070157720deea06b22a733f776bb0ecda1dd09350ac0ddf7e7bf1ce10784e
SHA512 38fa3df026e85a073b9240b22eed1d32c1bd499fe25e17da60abfaad05b494be260826c2c6331b76c02207c25ac2884577d7aabd451495765350af91fcf55517

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4EC143vj.exe

MD5 93298077e29ddff80c80bd6954a6f4b0
SHA1 76ec90448e2360ff9fd7ccb966a106d8eb3591fb
SHA256 71b070157720deea06b22a733f776bb0ecda1dd09350ac0ddf7e7bf1ce10784e
SHA512 38fa3df026e85a073b9240b22eed1d32c1bd499fe25e17da60abfaad05b494be260826c2c6331b76c02207c25ac2884577d7aabd451495765350af91fcf55517

memory/1576-48-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1576-49-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/1576-50-0x0000000008130000-0x00000000086D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe

MD5 066f67818f5f25b17e2a24a1a53b09fb
SHA1 d5d829e0bb4b9702b930f994a6feb80582160f3e
SHA256 310dbd0c0f0782093634889f5c3051ace2f6f08e894b91cee5620651125cf275
SHA512 df58a7cbc4dd7506381b17b072bc29ccf92502451bbe4ff7330f6ec326a6ef49528208d9a7df9d27e221fd408b2ae6df14b12bef014cc2dc2fa46a3d8e58f4dc

memory/1576-54-0x0000000007C60000-0x0000000007CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5wL0jS6.exe

MD5 066f67818f5f25b17e2a24a1a53b09fb
SHA1 d5d829e0bb4b9702b930f994a6feb80582160f3e
SHA256 310dbd0c0f0782093634889f5c3051ace2f6f08e894b91cee5620651125cf275
SHA512 df58a7cbc4dd7506381b17b072bc29ccf92502451bbe4ff7330f6ec326a6ef49528208d9a7df9d27e221fd408b2ae6df14b12bef014cc2dc2fa46a3d8e58f4dc

C:\Users\Admin\AppData\Local\Temp\EE57.tmp\EE58.tmp\EE59.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

memory/1576-57-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

memory/1576-58-0x0000000007D10000-0x0000000007D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

memory/1576-61-0x0000000008D00000-0x0000000009318000-memory.dmp

memory/1576-63-0x0000000007FE0000-0x00000000080EA000-memory.dmp

memory/1576-64-0x0000000007EF0000-0x0000000007F02000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

memory/1576-75-0x0000000007F50000-0x0000000007F8C000-memory.dmp

memory/1576-76-0x0000000007F90000-0x0000000007FDC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_3384_IFJZHVBREUSQNEQQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_3804_QVOWBWUTRBZYXHAC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 915fab3b8352193132b0af662729891f
SHA1 97fd433b009f53e630d7a22ce62cec342919975d
SHA256 2fc9e44eeef30a68c01cc6810a58f58ff55a5b6cc28922b0989f25d263193ab5
SHA512 ecb5bcc06b7b4875d1f165cbc506eff966f4d49d01ddd1f0314b227becd5c3932e57a4b2143305cf04123abc43f1277cb97c5fe672b5c755208aa6df6e9dc338

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 598562cfa1bd428342acc6af497b3f24
SHA1 9d2fb7c2063943656de04490fd46cd835e3714b1
SHA256 4fbbffb44e228dff6ade2c4e5e663d73e9d579e17308267d4eba4e2d535e2223
SHA512 c23cafb3e40bfe99ffee24348ec6175111f691cfe7676fca23a185c63dcdadf08d3f3a8972d553822c2bfe9ae3edf870a185fe34bca19e0ab27cfc7d123a4337

memory/3084-132-0x0000000002BF0000-0x0000000002C06000-memory.dmp

memory/4628-135-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1576-220-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/1576-225-0x0000000007DA0000-0x0000000007DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 915fab3b8352193132b0af662729891f
SHA1 97fd433b009f53e630d7a22ce62cec342919975d
SHA256 2fc9e44eeef30a68c01cc6810a58f58ff55a5b6cc28922b0989f25d263193ab5
SHA512 ecb5bcc06b7b4875d1f165cbc506eff966f4d49d01ddd1f0314b227becd5c3932e57a4b2143305cf04123abc43f1277cb97c5fe672b5c755208aa6df6e9dc338

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c60afdf5949a107eba8686c38dcbf2f
SHA1 13651e42f083a792bc75077f58bcff09d10bb529
SHA256 9307b0b85830c78e53dea7ffd79febd32536eb7f10c4a0d7fd5e3eb12cccb34c
SHA512 00b3c9b45434e868cb120c1fe00f5a397a609cd57928a49772aca5f8abe36fc8ffbfb08aca3a7d2c00bc5405815faa1012803f6f4161d6bf8ae2c4298eb82482

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0242b76394fc2f2352b9b0756e9f5b1e
SHA1 c21c18f206931f8b73eaf3a0dbec2d2e18b98c32
SHA256 b796f43058f91f994235f0937b5775c6d8f086d284ed27201c1e49a281a87779
SHA512 b3978ea7b19ef5d4f72aabe8b995779253d0d6d72cb6497b949ec2fe0335c115d920e5de722de2f8ef43d04a1cb08a1a2f84de051d1d8e3fe1b719b7703dc7d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\40AE.exe

MD5 909384c7ef81db1527d9cb6cbd8c8d7d
SHA1 6ab955c83ea48bf53b8f11078112a5b28688c30b
SHA256 ac8001de55e1a4a06142ad8d837f53409472f68bb146557e0fdcfccc7a32423d
SHA512 66be360c9c0895c7d4609f673b2c6822fd45ae1b6c6904e9dd0f5cb69ed4885126392b37d4e035f1f3a16fb2ac61e1d3e0fdc8a4b8cffdd8379fccc7dfe174ed

C:\Users\Admin\AppData\Local\Temp\40AE.exe

MD5 909384c7ef81db1527d9cb6cbd8c8d7d
SHA1 6ab955c83ea48bf53b8f11078112a5b28688c30b
SHA256 ac8001de55e1a4a06142ad8d837f53409472f68bb146557e0fdcfccc7a32423d
SHA512 66be360c9c0895c7d4609f673b2c6822fd45ae1b6c6904e9dd0f5cb69ed4885126392b37d4e035f1f3a16fb2ac61e1d3e0fdc8a4b8cffdd8379fccc7dfe174ed

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6by93GN.exe

MD5 9c46d9382e13e4af151690bc11a1549b
SHA1 9b1f5cff12fe100302c8cb6d5cedc73b98d5ec7d
SHA256 c3c48bea2d57adbd90cfbbdc23927c95834471819fa1bc371779b75b08048e8c
SHA512 07d235969d353629b5e04fcabe88988f4d3cb1938b1c2a14c04013e3d4cdabd8f4a77009eb2d7d100797349b39ea5f23237df72262f4b790bc87615ff132a4cc

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe

MD5 a9b08e94fc90554bd84d182c57e2196c
SHA1 e55cdab307dd8d0235b503b3786c7b263b781027
SHA256 6c95645f753aa3e8ae9226e136159062bf46c46e4876e879e87f4d8287d116f4
SHA512 d40e38f189fc9596419009b12b5c911d033e4625a070114bda5214dc0f3c39511737602f21fa123fdbc9a5b3be93a197ac52b2bb8fbe53bd399a7e17f271b5dd

C:\Users\Admin\AppData\Local\Temp\41C8.exe

MD5 5940df80cc0ffbb340e1d0165c0143ae
SHA1 895fce0d888aee0fdd28b95d3784ab3bb58ac4c9
SHA256 2c1fd1969c29699f2787dffe166c2225b028e7acd4efd2d83b9528825813d669
SHA512 3ab655fd14bb222558abb2c128bb21fa2b1adb0510cc1b3ec8400102d1a85af33c96c208db5c514346f0562806aaa35e37afc8840990284f2492d6a3f450b7d7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vn8zv7Uh.exe

MD5 a9b08e94fc90554bd84d182c57e2196c
SHA1 e55cdab307dd8d0235b503b3786c7b263b781027
SHA256 6c95645f753aa3e8ae9226e136159062bf46c46e4876e879e87f4d8287d116f4
SHA512 d40e38f189fc9596419009b12b5c911d033e4625a070114bda5214dc0f3c39511737602f21fa123fdbc9a5b3be93a197ac52b2bb8fbe53bd399a7e17f271b5dd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe

MD5 b4f1d87ae6c7a45f3bceadc6737af426
SHA1 f925c6efe9388a3f8699c415e28626b21407c9a0
SHA256 460094d3170a050b32d594c27fdcff23ec94b09852d00c3f61363f414650986c
SHA512 136a0c1989d674acb8e44157de49fb6bfa773723027b27c0a520cee88bdcc8c8d181850525aa9086002453373a03fdfadd7d5b60a81ffe61672078d29ab7c2bd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aY2kr8VV.exe

MD5 b4f1d87ae6c7a45f3bceadc6737af426
SHA1 f925c6efe9388a3f8699c415e28626b21407c9a0
SHA256 460094d3170a050b32d594c27fdcff23ec94b09852d00c3f61363f414650986c
SHA512 136a0c1989d674acb8e44157de49fb6bfa773723027b27c0a520cee88bdcc8c8d181850525aa9086002453373a03fdfadd7d5b60a81ffe61672078d29ab7c2bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe

MD5 9bd55fe1a9594ee2269332cdfd3c35de
SHA1 9bbb7d6d0bd0221e13942820f9fc14cfd5c1a5c6
SHA256 1ddd2c24bedbb000cbbf2033b8ad90f0c003b6043c3ce010f138d6bd89cc76cd
SHA512 e9ffbeab7a76c8e3d499ea0625ce774fb8e8f0dc3844b62352846354a619d8a1ffa659a19b9527e65805e2911a78f9642c29131c7b13590387850185962a4865

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Rz9SE5IY.exe

MD5 9bd55fe1a9594ee2269332cdfd3c35de
SHA1 9bbb7d6d0bd0221e13942820f9fc14cfd5c1a5c6
SHA256 1ddd2c24bedbb000cbbf2033b8ad90f0c003b6043c3ce010f138d6bd89cc76cd
SHA512 e9ffbeab7a76c8e3d499ea0625ce774fb8e8f0dc3844b62352846354a619d8a1ffa659a19b9527e65805e2911a78f9642c29131c7b13590387850185962a4865

C:\Users\Admin\AppData\Local\Temp\41C8.exe

MD5 5940df80cc0ffbb340e1d0165c0143ae
SHA1 895fce0d888aee0fdd28b95d3784ab3bb58ac4c9
SHA256 2c1fd1969c29699f2787dffe166c2225b028e7acd4efd2d83b9528825813d669
SHA512 3ab655fd14bb222558abb2c128bb21fa2b1adb0510cc1b3ec8400102d1a85af33c96c208db5c514346f0562806aaa35e37afc8840990284f2492d6a3f450b7d7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe

MD5 79d64b0a10fdc66eddeea9b88b2ecc63
SHA1 2981bfe928f4cccb01d67ef15d87581c57235236
SHA256 0e864b45df18a1e00f77abe9005c087d3a393b6d99c80aa556249c2a12f1387c
SHA512 f1552d58154bd618f287f79cc49cca5ac59dfafde5e34933203b93348d766c40990ee4c8390b54205d961ab0b3c4b8a8133ac31f329468fe4e52a08d2ef0f799

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mB2nO8vz.exe

MD5 79d64b0a10fdc66eddeea9b88b2ecc63
SHA1 2981bfe928f4cccb01d67ef15d87581c57235236
SHA256 0e864b45df18a1e00f77abe9005c087d3a393b6d99c80aa556249c2a12f1387c
SHA512 f1552d58154bd618f287f79cc49cca5ac59dfafde5e34933203b93348d766c40990ee4c8390b54205d961ab0b3c4b8a8133ac31f329468fe4e52a08d2ef0f799

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe

MD5 5940df80cc0ffbb340e1d0165c0143ae
SHA1 895fce0d888aee0fdd28b95d3784ab3bb58ac4c9
SHA256 2c1fd1969c29699f2787dffe166c2225b028e7acd4efd2d83b9528825813d669
SHA512 3ab655fd14bb222558abb2c128bb21fa2b1adb0510cc1b3ec8400102d1a85af33c96c208db5c514346f0562806aaa35e37afc8840990284f2492d6a3f450b7d7

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe

MD5 5940df80cc0ffbb340e1d0165c0143ae
SHA1 895fce0d888aee0fdd28b95d3784ab3bb58ac4c9
SHA256 2c1fd1969c29699f2787dffe166c2225b028e7acd4efd2d83b9528825813d669
SHA512 3ab655fd14bb222558abb2c128bb21fa2b1adb0510cc1b3ec8400102d1a85af33c96c208db5c514346f0562806aaa35e37afc8840990284f2492d6a3f450b7d7

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1mI85mj9.exe

MD5 5940df80cc0ffbb340e1d0165c0143ae
SHA1 895fce0d888aee0fdd28b95d3784ab3bb58ac4c9
SHA256 2c1fd1969c29699f2787dffe166c2225b028e7acd4efd2d83b9528825813d669
SHA512 3ab655fd14bb222558abb2c128bb21fa2b1adb0510cc1b3ec8400102d1a85af33c96c208db5c514346f0562806aaa35e37afc8840990284f2492d6a3f450b7d7

C:\Users\Admin\AppData\Local\Temp\44D7.exe

MD5 dd08f0cd460c196d6083e8d2fb76de29
SHA1 7e7b2f2dc1f035cdc9ea637cd1f8795ab1d48a6e
SHA256 143c070f9595a87a72e28d8a64b14cb6ec73a62eff911a1c5d3ebbfa99803100
SHA512 ca52df2798bc9f16faea6212675f22335dfd13a5fc79d929faa384d13a63606728cfbd5f4aad6cb749b9fce962607e931e76b3e40fb7d082ab90eb228af2c3f6

memory/3524-306-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3524-307-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3524-308-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44D7.exe

MD5 dd08f0cd460c196d6083e8d2fb76de29
SHA1 7e7b2f2dc1f035cdc9ea637cd1f8795ab1d48a6e
SHA256 143c070f9595a87a72e28d8a64b14cb6ec73a62eff911a1c5d3ebbfa99803100
SHA512 ca52df2798bc9f16faea6212675f22335dfd13a5fc79d929faa384d13a63606728cfbd5f4aad6cb749b9fce962607e931e76b3e40fb7d082ab90eb228af2c3f6

C:\Users\Admin\AppData\Local\Temp\46AD.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/5176-315-0x0000000000780000-0x000000000078A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46AD.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

memory/5188-316-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5176-317-0x00007FF8BBA80000-0x00007FF8BC541000-memory.dmp

memory/5188-318-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5188-320-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3524-324-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4900.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\4900.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\434F.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/5400-330-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/5400-332-0x0000000007510000-0x0000000007520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Dc044iF.exe

MD5 d864744ea23807cf528a1a508c2bdc3e
SHA1 a6c19194b0bdac075563109000c3e182f86f6155
SHA256 426a88a033bd62b047fd132f323987c440c10881e4c2843adbf59c1ce43f87ff
SHA512 7e06a9f47ca41272981cf6d17d9025497bea27769ca0535c684463d450595c9c728a8832ea7ebdf262efaf0fe6d4ce1622e9cc205afe72b52e7b6b04f38533a0

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Dc044iF.exe

MD5 d864744ea23807cf528a1a508c2bdc3e
SHA1 a6c19194b0bdac075563109000c3e182f86f6155
SHA256 426a88a033bd62b047fd132f323987c440c10881e4c2843adbf59c1ce43f87ff
SHA512 7e06a9f47ca41272981cf6d17d9025497bea27769ca0535c684463d450595c9c728a8832ea7ebdf262efaf0fe6d4ce1622e9cc205afe72b52e7b6b04f38533a0

memory/5584-342-0x00000000000E0000-0x000000000011E000-memory.dmp

memory/5584-343-0x0000000073AF0000-0x00000000742A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d9dbf3504233512feb3fa0d860c26b41
SHA1 a8544a0566263dc3862104c4c2d09584e300d2ed
SHA256 0a712d6e2d363b8b4d54494590018b95f68bc236695af1b8623900b26ee4fbd1
SHA512 0519291f5a0c8d784e13b1080e1b118b9639402235efd80b9704c64e461d2deacfb66f2e61e550dd51f7238cd4ff9c39146fe4cf67708031e71d83f3e9f2b77c

memory/5584-349-0x0000000006E40000-0x0000000006E50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/5536-418-0x00007FF682340000-0x00007FF6823AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4528-458-0x0000000002710000-0x0000000002719000-memory.dmp

memory/5780-463-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5176-468-0x00007FF8BBA80000-0x00007FF8BC541000-memory.dmp

memory/5840-467-0x0000000000410000-0x0000000000584000-memory.dmp

memory/4528-449-0x0000000002720000-0x0000000002820000-memory.dmp

memory/5400-470-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/5780-473-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5684-472-0x00000000009E0000-0x0000000000B9D000-memory.dmp

memory/5840-478-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/5464-479-0x0000000004900000-0x0000000004D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/5464-487-0x0000000004D00000-0x00000000055EB000-memory.dmp

memory/5400-488-0x0000000007510000-0x0000000007520000-memory.dmp

memory/6140-490-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/4248-502-0x0000000000E90000-0x0000000000E98000-memory.dmp

memory/5504-507-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5464-510-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de5a512870b8ee4702f16f07fd36c3d5
SHA1 bc05ad544ce927a7362a7eb3adffeb5fd699d6cb
SHA256 3d4c70baf411f6a972a422ecb8caa31cf459548a298580d2624e95980f57fe8c
SHA512 ecccc6efc3fac195f135c731c25a6bd3e792fefa8a8effb829bd5c94595cb42872ff6a9d8b7f59adda05d338e91eccfe6a99416ce611c4bac1f5604e9800cb1d

memory/5840-509-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/6044-535-0x00000000006A0000-0x00000000006FA000-memory.dmp

memory/4248-540-0x000000001BB30000-0x000000001BB40000-memory.dmp

memory/5504-541-0x00000000018B0000-0x00000000018B6000-memory.dmp

memory/5684-544-0x00000000009E0000-0x0000000000B9D000-memory.dmp

memory/4248-551-0x00007FF8BBA80000-0x00007FF8BC541000-memory.dmp

memory/1176-554-0x0000000000610000-0x0000000000611000-memory.dmp

memory/6044-556-0x0000000000400000-0x0000000000467000-memory.dmp

memory/4528-561-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5584-565-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/4528-564-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5504-560-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/6044-566-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/6140-567-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5504-570-0x00000000030F0000-0x0000000003100000-memory.dmp

memory/3084-572-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

memory/5784-585-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/5780-580-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5784-587-0x00000000058E0000-0x00000000059BC000-memory.dmp

memory/5584-589-0x0000000006E40000-0x0000000006E50000-memory.dmp

memory/5784-590-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/5784-591-0x0000000005A60000-0x0000000005B38000-memory.dmp

memory/5784-593-0x0000000005E60000-0x0000000005EAC000-memory.dmp

memory/5784-592-0x0000000005D90000-0x0000000005E58000-memory.dmp

memory/5784-599-0x0000000006070000-0x00000000060D6000-memory.dmp

memory/1652-598-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5176-588-0x00007FF8BBA80000-0x00007FF8BC541000-memory.dmp

memory/5784-579-0x0000000000DE0000-0x0000000001124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/5536-602-0x0000000002BF0000-0x0000000002D61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c5bf639cc17b84dc79b19d817f15d599
SHA1 334a27151231f43ef21f647e6d52aa7e19370d69
SHA256 e5fedc9f62a2ea90ed289c6af8287345d831c370cc036d13669ef054f3088496
SHA512 ff5cd7cc2a207ac1fc7da003462cfcdf7fd6349db1da634bbea726b5d894e98714a7041f6813fb7847bc85acd7563dd020257721dd6b65f8652441dbe68b3431

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 576a74aac3d5c97113a82a2e3ed82aef
SHA1 cf3a38a90a33341d9ca2d4af6e6520c7055abe27
SHA256 1c0a24c84829ffee7e886e4dca5021beee2767c165838f570be81ae187ab503f
SHA512 fa1a41a6807f2f72a48df0ec5e29b2d7db9deae0f80f946951feddf86303a7d390403c465336e84b3fc181f1ae16264db827c6c15b56878c033bfeead9fab20d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58817f.TMP

MD5 8211fa100b859d674afe0d9e2f91ff77
SHA1 3bfade93afafdba38ba9808ded784feb0e31bbce
SHA256 0c9e7bf00ae7cdf9702ba4ddda385dbdb24e343bb18b265040d2337746417d5d
SHA512 14d8d8a807e1383d089f1cdd8efff36e9a4e283bdbdd171bdd60edc1ae9641a6370e32901d384e147e9af13183f3677fd046285dc4b3920626f604831ee4a382

memory/5464-628-0x0000000000400000-0x000000000298D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 210f95fab56637dda3335f36364a827d
SHA1 5f0a302a58174d3dcbc33ebed06ded59b241ad05
SHA256 46258a8d24d6209ed6501aaa5f28375eb104cf981573e768f766348698059cdf
SHA512 0cdc8b66b1fd8c2d691a17a9489f1a034223e55c986025a63fb84182675204e5645ed1911bfd62bb9fc73df7b7926773fbb59467d2ddf0b7d45ac53723fca767

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8ce1dcae43ee3b44e3b5f1bcb169564b
SHA1 6722b20b5a989fea090c604b5edf0936ca69562d
SHA256 b817e1f56cf2c9c94990fa3e99c2faf057cc13682d70e1f5585e87d2d97ec128
SHA512 36d65c8ba9d9ac0763cddcd2e46dabde008abbfdf5a3d7490a9977a74d0e106291b490109c07b8db39e244c0eb40ea6e17067104a0368ccbfda3cca5950598cf

memory/1176-708-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 53ec5765b7958bf8c63d69ca69db2aad
SHA1 f471e1a5d64223465ad5f20f63811d1a06602d84
SHA256 dc573f8e57fb81d02712b9a1171415ce3706a31f555f23f0a49584a152ef77cc
SHA512 a412aa079eb69f57c099e975ca4c1c576579046c9422b438ffc26618e65185eb4d244d493e758b7ef18849ec34d4bee64bc0c9f5a48eb504ad00768bc05bc6eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6f4d31159436ff6ae6ac432112809090
SHA1 7709a7a586af454b669e95b5af62c84699af76da
SHA256 8ed3f33d7ca9cb00971f4a72030bd5b8d866517db5ed894069487f73b0e47327
SHA512 add56e946e1c11908d736e58f91a901f720bdbaaa5b74dca8c0748934e711f7e40fe5ad618cee11baa9d0d64c644236981a84def2c6ba5385ddd417ce8af707a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8c9457595aea370be177661a738a666e
SHA1 79f52303996b7de55e19ab0d77f7af78dcbc650d
SHA256 d92fedbd0c2ff8b5285617239b6695b891fbaa3b4eb4a980b1a0b7a05cd03bfc
SHA512 c4ae47730167d9a32e3c26e7e6b69a1ea8ab517cf7eaf79ed9bf91c1640985a00075d22e1955709e2bb35328af8b2de09f859d29887ded8c04ece4107c710192

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 82757e37c06c6b0c658db42ab015464c
SHA1 3144a6970e1c779eb24bc1c4343ea451c071b91d
SHA256 f1bb207140e13c5d06811994e2a8213c5ad40d37f43ddde54fb8b765c12cb571
SHA512 f14384c5266193653010719b32dd3e5da16c8fde91cef1557c3315bf03892d3ffa5e3eb6e60993c99e610b004c8956aed8ab31b78eea9172ae78bd4090bf0d71

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3m1b2f2d.cts.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5464-819-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5464-835-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1652-837-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5172-874-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1652-885-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/1652-933-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5172-934-0x0000000000400000-0x000000000298D000-memory.dmp

memory/2992-942-0x0000000000400000-0x00000000004AC000-memory.dmp

memory/2992-948-0x00000000053C0000-0x00000000054A1000-memory.dmp

memory/2992-949-0x00000000053C0000-0x00000000054A1000-memory.dmp

memory/2992-952-0x00000000053C0000-0x00000000054A1000-memory.dmp

memory/2992-956-0x00000000053C0000-0x00000000054A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4