Analysis Overview
SHA256
bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
DcRat
Glupteba
Glupteba payload
SmokeLoader
Healer
RedLine
RedLine payload
Mystic
Modifies Windows Defender Real-time Protection settings
Amadey
Detects Healer an antivirus disabler dropper
Modifies Windows Firewall
Downloads MZ/PE file
Windows security modification
Executes dropped EXE
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Manipulates WinMonFS driver.
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 11:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 11:12
Reported
2023-10-03 11:15
Platform
win7-20230831-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 900 set thread context of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 284
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
| MD5 | 8d04e032bc6ad6b3ba2b7998e65e6f13 |
| SHA1 | 66c8a49b5597f8fdab0bbe708c0335f85ef19986 |
| SHA256 | 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf |
| SHA512 | efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
| MD5 | 8d04e032bc6ad6b3ba2b7998e65e6f13 |
| SHA1 | 66c8a49b5597f8fdab0bbe708c0335f85ef19986 |
| SHA256 | 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf |
| SHA512 | efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
| MD5 | 8d04e032bc6ad6b3ba2b7998e65e6f13 |
| SHA1 | 66c8a49b5597f8fdab0bbe708c0335f85ef19986 |
| SHA256 | 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf |
| SHA512 | efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3 |
memory/2708-38-0x0000000000CB0000-0x0000000000CBA000-memory.dmp
memory/2708-39-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp
memory/2708-40-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp
memory/2708-41-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
memory/2948-48-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-49-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-50-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-51-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-52-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-53-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-55-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-54-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2948-59-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2948-57-0x0000000000400000-0x0000000000428000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-03 11:12
Reported
2023-10-03 11:15
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\60BE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7B6B.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\587B.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\PA Previewer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\PA Previewer\previewer.exe | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-AOANR.tmp | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-MOCNE.tmp | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-IRUUL.tmp | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
| File created | C:\Program Files (x86)\PA Previewer\is-5FBH1.tmp | C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5E9A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\PA Previewer\previewer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1292 -ip 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 4980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 616
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 600
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B4.tmp\3B5.tmp\3B6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\587B.exe
C:\Users\Admin\AppData\Local\Temp\587B.exe
C:\Users\Admin\AppData\Local\Temp\5967.exe
C:\Users\Admin\AppData\Local\Temp\5967.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B2D.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe
C:\Users\Admin\AppData\Local\Temp\5D70.exe
C:\Users\Admin\AppData\Local\Temp\5D70.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 432 -ip 432
C:\Users\Admin\AppData\Local\Temp\5E9A.exe
C:\Users\Admin\AppData\Local\Temp\5E9A.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5180 -ip 5180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5368 -ip 5368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 600
C:\Users\Admin\AppData\Local\Temp\60BE.exe
C:\Users\Admin\AppData\Local\Temp\60BE.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 544
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5280 -ip 5280
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 148
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\7B6B.exe
C:\Users\Admin\AppData\Local\Temp\7B6B.exe
C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\806D.exe
C:\Users\Admin\AppData\Local\Temp\806D.exe
C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp" /SL4 $30262 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| NL | 157.240.201.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| US | 8.8.8.8:53 | 52.68.91.77.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| RU | 5.42.92.211:80 | 5.42.92.211 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.92.42.5.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.72.236.156.in-addr.arpa | udp |
| US | 95.214.25.204:80 | 95.214.25.204 | tcp |
| NL | 89.208.107.31:80 | tcp | |
| US | 8.8.8.8:53 | 204.25.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.121.18.2.in-addr.arpa | udp |
| MD | 176.123.4.46:33783 | tcp | |
| US | 8.8.8.8:53 | 46.4.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.26.221.154.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95442095-c51e-4847-b1dd-05ff3c4f1dea.uuid.ramboclub.net | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | server8.ramboclub.net | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.48:443 | server8.ramboclub.net | tcp |
| US | 74.125.204.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | mastertryprice.com | udp |
| US | 104.21.37.186:443 | mastertryprice.com | tcp |
| US | 8.8.8.8:53 | 127.204.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.37.21.104.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | datasheet.fun | udp |
| US | 104.21.89.251:80 | datasheet.fun | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 251.89.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
| MD5 | 0f1e6bd57eb05a9fd74ff70b15d82ad2 |
| SHA1 | a2e2ce16c2b0e838c7d304359c08b631c810e321 |
| SHA256 | d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f |
| SHA512 | 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
| MD5 | eaf5703824f4cd6826d0b72d5d4858be |
| SHA1 | ce3b239c05f9c18c1e988e71f38114fcf4d1445e |
| SHA256 | 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312 |
| SHA512 | b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
| MD5 | 270fed371af6acb335e5177f1d654d85 |
| SHA1 | c3fc74b07b2a5596edc0f347b1a11bd77ec5e613 |
| SHA256 | f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958 |
| SHA512 | 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
| MD5 | 8d04e032bc6ad6b3ba2b7998e65e6f13 |
| SHA1 | 66c8a49b5597f8fdab0bbe708c0335f85ef19986 |
| SHA256 | 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf |
| SHA512 | efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
| MD5 | 8d04e032bc6ad6b3ba2b7998e65e6f13 |
| SHA1 | 66c8a49b5597f8fdab0bbe708c0335f85ef19986 |
| SHA256 | 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf |
| SHA512 | efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3 |
memory/2636-28-0x00000000005E0000-0x00000000005EA000-memory.dmp
memory/2636-29-0x00007FFEF6760000-0x00007FFEF7221000-memory.dmp
memory/2636-31-0x00007FFEF6760000-0x00007FFEF7221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
| MD5 | 890f04e0a2f7f9b29f432ae5d7829143 |
| SHA1 | ce9553b4addcefb38e23059d6a42f384cce8f8e4 |
| SHA256 | f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8 |
| SHA512 | 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b |
memory/4980-35-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4980-36-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4980-37-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4980-39-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
| MD5 | 795944457f25ee822611f7e0e516ac1e |
| SHA1 | 7363da5dd6b7175efa8d815e4fec55ff1670717a |
| SHA256 | 30a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7 |
| SHA512 | 95c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
| MD5 | 795944457f25ee822611f7e0e516ac1e |
| SHA1 | 7363da5dd6b7175efa8d815e4fec55ff1670717a |
| SHA256 | 30a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7 |
| SHA512 | 95c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f |
memory/3900-43-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3900-44-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
| MD5 | f076f5cd08dd7d24d0e82a03ac936d64 |
| SHA1 | 0726d218b7507e7cc120168fe815526f7762f562 |
| SHA256 | 67db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874 |
| SHA512 | 3b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
| MD5 | f076f5cd08dd7d24d0e82a03ac936d64 |
| SHA1 | 0726d218b7507e7cc120168fe815526f7762f562 |
| SHA256 | 67db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874 |
| SHA512 | 3b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1 |
memory/3616-48-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3616-49-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/3616-50-0x0000000008280000-0x0000000008824000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
| MD5 | 4ebbad6aee33844e33bf065fc7f9c295 |
| SHA1 | c07ae3a150d9dbbda4af182eb33c543b90f278b4 |
| SHA256 | 9ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff |
| SHA512 | b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121 |
memory/3616-53-0x0000000007DC0000-0x0000000007E52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
| MD5 | 4ebbad6aee33844e33bf065fc7f9c295 |
| SHA1 | c07ae3a150d9dbbda4af182eb33c543b90f278b4 |
| SHA256 | 9ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff |
| SHA512 | b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121 |
memory/3616-56-0x0000000007F60000-0x0000000007F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3B4.tmp\3B5.tmp\3B6.bat
| MD5 | 5a115a88ca30a9f57fdbb545490c2043 |
| SHA1 | 67e90f37fc4c1ada2745052c612818588a5595f4 |
| SHA256 | 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d |
| SHA512 | 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe |
memory/3616-58-0x0000000007ED0000-0x0000000007EDA000-memory.dmp
memory/3616-59-0x0000000008E50000-0x0000000009468000-memory.dmp
memory/3616-60-0x0000000008170000-0x000000000827A000-memory.dmp
memory/3616-61-0x00000000080A0000-0x00000000080B2000-memory.dmp
memory/3616-62-0x0000000008100000-0x000000000813C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c126b33f65b7fc4ece66e42d6802b02e |
| SHA1 | 2a169a1c15e5d3dab708344661ec04d7339bcb58 |
| SHA256 | ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8 |
| SHA512 | eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822 |
memory/3616-66-0x0000000008830000-0x000000000887C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
\??\pipe\LOCAL\crashpad_1588_BKBXBGREAFBPNUUY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3780_ZRKOXNIDMCLFROTT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ba126223517b49e951ce2ac5f53c7a8f |
| SHA1 | bf8030b86ddab2e9ec75cda0caead93431d9f4ba |
| SHA256 | f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583 |
| SHA512 | 0b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a59f07c2202deb39b2abde57c6df6085 |
| SHA1 | 312d5dbfe68ca12f947a2dd44d68362d3d6c9b90 |
| SHA256 | 4c5b5b1a6bf15d9a9eb0d1a07580532a6c7903e360a48321b466d4a49f1a6bab |
| SHA512 | e2103d17e13acd80f2012003c7af70ad569d8ba7ab0adc0e539d3d1605faa30d62cded16b1d8d45d08eb296aee6eb62a0237b4a8efee1ddba7df595319bc9ec1 |
memory/3180-124-0x0000000008230000-0x0000000008246000-memory.dmp
memory/3900-126-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3616-222-0x0000000073C80000-0x0000000074430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ba126223517b49e951ce2ac5f53c7a8f |
| SHA1 | bf8030b86ddab2e9ec75cda0caead93431d9f4ba |
| SHA256 | f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583 |
| SHA512 | 0b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a73a3cab6d00f4e33a0ea5b77d83c4b3 |
| SHA1 | 292c8a34e8d713389853eaa97b1c75915104bc7f |
| SHA256 | 694b4024a42ab399c7448bdc85f0073ec7d5e752aac4dbe67c4354c7f2ba6843 |
| SHA512 | 265a790de2d67c8274b9389445536eb1faaa8afdd63dec7e71712e4cd46011b511691dcbb9e7aab52bbaa18e9b6c91e136ed0380cb785c696a9d4a797a4b6b40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f364ba46e73fefb452bc6694e331b0f6 |
| SHA1 | 1a86391480685cfb5ca064234a57fc7ca9c6560b |
| SHA256 | 34053fcb1101bb79e5dbc7e797614f68e43502f310576ad3c8a6c6631041f87a |
| SHA512 | f7deb47912ea90f5fbd1d4cd4e479e1d73b79ac9420b5f794adfde07a1dff8cf552604b5e3d5185e0cb48486b6f53b96c6ab20d757ed7077ddd0c58ee79b59b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 6dcb90ba1ba8e06c1d4f27ec78f6911a |
| SHA1 | 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9 |
| SHA256 | 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416 |
| SHA512 | dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\587B.exe
| MD5 | 58f0d05dc318fb27da641c03fa4d664d |
| SHA1 | daf53aa6f3f5706c1aec7c8149dd3973159d5264 |
| SHA256 | 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2 |
| SHA512 | 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7 |
C:\Users\Admin\AppData\Local\Temp\587B.exe
| MD5 | 58f0d05dc318fb27da641c03fa4d664d |
| SHA1 | daf53aa6f3f5706c1aec7c8149dd3973159d5264 |
| SHA256 | 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2 |
| SHA512 | 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7 |
C:\Users\Admin\AppData\Local\Temp\5967.exe
| MD5 | 0b5d6ef3c97a9e982265f7af225e5a9c |
| SHA1 | 1997d3ee98bd097055ab61b4c3d63637b120bee3 |
| SHA256 | fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4 |
| SHA512 | 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6qe08pX.exe
| MD5 | 5235caae76d02f5952194d9ca29b3b03 |
| SHA1 | c5d28760e6bbb69298904aa1f9bf9ba777b23697 |
| SHA256 | c82317a752e64d5d09b5d4ca0a517c625141a50c535a2bd0b6148d18306632dc |
| SHA512 | 601ed5535bedad1b3eece71ac74580e57c4f375c7eb714a4efe0ad53b3fc4fcce19a2e9d317fd71896ca80825f573abf594579ee9f0f3885c8944507d72797d7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
| MD5 | 66c3517503dc4974307fec6ffa661d5a |
| SHA1 | 7c371312352f3335f55053e19ed5138b355a81b4 |
| SHA256 | bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0 |
| SHA512 | 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe
| MD5 | 66c3517503dc4974307fec6ffa661d5a |
| SHA1 | 7c371312352f3335f55053e19ed5138b355a81b4 |
| SHA256 | bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0 |
| SHA512 | 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe
| MD5 | 49aafacee476804694b089564753232a |
| SHA1 | e5f3f789c72b9f57f646dfbdcd8da420ffbd6460 |
| SHA256 | 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787 |
| SHA512 | 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe
| MD5 | 49aafacee476804694b089564753232a |
| SHA1 | e5f3f789c72b9f57f646dfbdcd8da420ffbd6460 |
| SHA256 | 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787 |
| SHA512 | 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c |
C:\Users\Admin\AppData\Local\Temp\5967.exe
| MD5 | 0b5d6ef3c97a9e982265f7af225e5a9c |
| SHA1 | 1997d3ee98bd097055ab61b4c3d63637b120bee3 |
| SHA256 | fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4 |
| SHA512 | 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe
| MD5 | 9014a0234d2c58ee7cf349c19e148c3b |
| SHA1 | 53b90f7cdbb745bbe5616cbbfd609323df8f822a |
| SHA256 | 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c |
| SHA512 | 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe
| MD5 | 9014a0234d2c58ee7cf349c19e148c3b |
| SHA1 | 53b90f7cdbb745bbe5616cbbfd609323df8f822a |
| SHA256 | 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c |
| SHA512 | 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe
| MD5 | ad04538ac68bdbcdd4af15df754950df |
| SHA1 | 01a914d0ff62513dd29e5471a06262425b3587d0 |
| SHA256 | a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621 |
| SHA512 | da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe
| MD5 | ad04538ac68bdbcdd4af15df754950df |
| SHA1 | 01a914d0ff62513dd29e5471a06262425b3587d0 |
| SHA256 | a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621 |
| SHA512 | da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe
| MD5 | 94fe8c5b20737216593756185af3492c |
| SHA1 | 8eead059a52929964e302ea5b368b979839c2cac |
| SHA256 | de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a |
| SHA512 | 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340 |
C:\Users\Admin\AppData\Local\Temp\5B2D.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe
| MD5 | 94fe8c5b20737216593756185af3492c |
| SHA1 | 8eead059a52929964e302ea5b368b979839c2cac |
| SHA256 | de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a |
| SHA512 | 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340 |
C:\Users\Admin\AppData\Local\Temp\5D70.exe
| MD5 | 0e6557057a1d9769a7cc3b4f670fdde5 |
| SHA1 | 8870b8d7db588dd57b416e474875b908517cbedb |
| SHA256 | aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c |
| SHA512 | 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40 |
memory/5328-308-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5328-309-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5328-312-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D70.exe
| MD5 | 0e6557057a1d9769a7cc3b4f670fdde5 |
| SHA1 | 8870b8d7db588dd57b416e474875b908517cbedb |
| SHA256 | aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c |
| SHA512 | 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40 |
memory/5368-319-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5384-320-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp
memory/5368-318-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5384-317-0x0000000000130000-0x000000000013A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60BE.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/5368-322-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5E9A.exe
| MD5 | cb71132b03f15b037d3e8a5e4d9e0285 |
| SHA1 | 95963fba539b45eb6f6acbd062c48976733519a1 |
| SHA256 | 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373 |
| SHA512 | d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a |
C:\Users\Admin\AppData\Local\Temp\5E9A.exe
| MD5 | cb71132b03f15b037d3e8a5e4d9e0285 |
| SHA1 | 95963fba539b45eb6f6acbd062c48976733519a1 |
| SHA256 | 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373 |
| SHA512 | d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a |
C:\Users\Admin\AppData\Local\Temp\60BE.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
memory/5328-335-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5752-337-0x0000000073C80000-0x0000000074430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
memory/5752-353-0x0000000007EC0000-0x0000000007ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe
| MD5 | e748f885cdee27913e4462d9db102166 |
| SHA1 | b242938a5bdec37c2f831054992c48246e0bcb3c |
| SHA256 | 9403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2 |
| SHA512 | d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe
| MD5 | e748f885cdee27913e4462d9db102166 |
| SHA1 | b242938a5bdec37c2f831054992c48246e0bcb3c |
| SHA256 | 9403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2 |
| SHA512 | d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363 |
memory/5424-436-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/5424-435-0x00000000002A0000-0x00000000002DE000-memory.dmp
memory/5424-446-0x00000000072C0000-0x00000000072D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | afcd732d6449e6fe0b7a609ff70fae92 |
| SHA1 | a07fb77916ad41d01c5c42b919d6a11bc52aeded |
| SHA256 | 46e539775ce92f4ea0498cc1b7ab19041cf1e9f1254b838e390b0b112e2879f9 |
| SHA512 | 6e6f90048d0077a13a1e2afdff09fde3dc00ee5e4c65e32386585d28bbb333600623dc88d7aaed3fa0525ea5c44d43b9750a4f1d82462ccbca651f2f108704d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587a7a.TMP
| MD5 | f35d05b970a245b6ebdd23acdb77597c |
| SHA1 | f59b4e8dd6e306eceb06287e9b80458fc380ccc4 |
| SHA256 | 09d6fb3c16239dac69e16cb09122f7071f2bae9f22101d50db3384b297fd0733 |
| SHA512 | dcae5b80ba09e50a36e5446612b6ff433996d93d884a179d8530bca06e817e5dd8d386a6b7aa2e16ad4ac64dbe9646fa7a1423a703ef688bc6b5147842b42e11 |
C:\Users\Admin\AppData\Local\Temp\ss41.exe
| MD5 | 83330cf6e88ad32365183f31b1fd3bda |
| SHA1 | 1c5b47be2b8713746de64b39390636a81626d264 |
| SHA256 | 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e |
| SHA512 | e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 528b5dc5ede359f683b73a684b9c19f6 |
| SHA1 | 8bff4feae6dbdaafac1f9f373f15850d08e0a206 |
| SHA256 | 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9 |
| SHA512 | 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb |
memory/5672-497-0x00007FF663ED0000-0x00007FF663F3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7ea584dc49967de03bebdacec829b18d |
| SHA1 | 3d47f0e88c7473bedeed2f14d7a8db1318b93852 |
| SHA256 | 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53 |
| SHA512 | ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0 |
C:\Users\Admin\AppData\Local\Temp\kos1.exe
| MD5 | 85b698363e74ba3c08fc16297ddc284e |
| SHA1 | 171cfea4a82a7365b241f16aebdb2aad29f4f7c0 |
| SHA256 | 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe |
| SHA512 | 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796 |
memory/5880-518-0x00000000002B0000-0x0000000000424000-memory.dmp
memory/5200-520-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5384-519-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp
memory/5432-522-0x00000000025F0000-0x00000000026F0000-memory.dmp
memory/5432-523-0x0000000002730000-0x0000000002739000-memory.dmp
memory/5200-525-0x0000000000400000-0x0000000000409000-memory.dmp
memory/5880-526-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/5516-529-0x0000000000EA0000-0x000000000105D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fa7ccb55f138d3fa34ba083cb6672e5d |
| SHA1 | 5a3195f0f985ebd86a3b02c73b3c339deb16f15a |
| SHA256 | 041f469256e1389154971241e32a001e8dd3dab8f902a44ab7d275309ef6b0d5 |
| SHA512 | 6347f8f61db02ec9165fdebea5d0863b52f1a8d2a54329f863272d2446d77a3be789c2c1d6cdb167b38412597c4964d2484d7723a162abf3d50710e899ff2f96 |
memory/5752-546-0x0000000073C80000-0x0000000074430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\set16.exe
| MD5 | 22d5269955f256a444bd902847b04a3b |
| SHA1 | 41a83de3273270c3bd5b2bd6528bdc95766aa268 |
| SHA256 | ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd |
| SHA512 | d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c |
memory/5596-549-0x0000000004710000-0x0000000004B10000-memory.dmp
memory/6104-548-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos.exe
| MD5 | 076ab7d1cc5150a5e9f8745cc5f5fb6c |
| SHA1 | 7b40783a27a38106e2cc91414f2bc4d8b484c578 |
| SHA256 | d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90 |
| SHA512 | 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b |
memory/5596-555-0x0000000004B10000-0x00000000053FB000-memory.dmp
memory/4092-563-0x0000000000540000-0x0000000000548000-memory.dmp
memory/5880-565-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/5412-578-0x0000000000B70000-0x0000000000BA0000-memory.dmp
memory/5596-579-0x0000000000400000-0x000000000298D000-memory.dmp
memory/4092-584-0x000000001B1C0000-0x000000001B1D0000-memory.dmp
memory/5516-586-0x0000000000EA0000-0x000000000105D000-memory.dmp
memory/5516-602-0x0000000000EA0000-0x000000000105D000-memory.dmp
memory/5412-599-0x0000000002AD0000-0x0000000002AD6000-memory.dmp
memory/5412-605-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/3196-606-0x0000000000710000-0x0000000000711000-memory.dmp
memory/5752-597-0x0000000007EC0000-0x0000000007ED0000-memory.dmp
memory/4092-608-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp
memory/5384-596-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp
memory/5464-609-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5464-612-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5424-616-0x00000000072C0000-0x00000000072D0000-memory.dmp
memory/5412-615-0x00000000052F0000-0x0000000005300000-memory.dmp
memory/5424-614-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/5304-619-0x0000000000400000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | ec6aae2bb7d8781226ea61adca8f0586 |
| SHA1 | d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3 |
| SHA256 | b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599 |
| SHA512 | aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7 |
memory/6104-589-0x0000000000400000-0x0000000000413000-memory.dmp
memory/5304-629-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5200-631-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3180-630-0x0000000002910000-0x0000000002926000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 59a9abbe7f411ab441df459f4f74ee7e |
| SHA1 | fd7ad280579e7cf4a815d03c92577e0c10888522 |
| SHA256 | fe529b7de29f85f6ca10a510a2b17da919e408ff6ef296796b121b0c9dfe73e6 |
| SHA512 | 7e5bede28e54591ed2bf816ec22a8be135617b77dc7e00ea9b90bd69f2e88e19f461d0dfb437920246b5ab1d19997f4b344b706ee587dcc96928157dd1cbc2bf |
memory/1516-646-0x0000000002E80000-0x0000000002EB6000-memory.dmp
memory/5412-647-0x00000000057A0000-0x0000000005816000-memory.dmp
memory/5596-645-0x0000000000400000-0x000000000298D000-memory.dmp
memory/1516-648-0x0000000005590000-0x0000000005BB8000-memory.dmp
memory/5412-649-0x0000000005960000-0x00000000059C6000-memory.dmp
memory/1516-651-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/1516-650-0x0000000073C80000-0x0000000074430000-memory.dmp
memory/1516-662-0x0000000002F00000-0x0000000002F10000-memory.dmp
memory/1516-661-0x0000000005BC0000-0x0000000005BE2000-memory.dmp
memory/1516-669-0x0000000005D60000-0x0000000005DC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdh5kq1k.qjb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3196-677-0x0000000000400000-0x00000000004B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 870de09e623182cec5e186354874be2a |
| SHA1 | 82837ba800b0821d44fd04f07394c328c3b8530d |
| SHA256 | f62fda7162b085bbf2b49426a6ede252485a0f4b5a3701879c3f853540439ff6 |
| SHA512 | 86dd264f6c6b71ac2922d5b1f71c3a5c4a096e9839c7c5696ea52f60dfcab051dd9b5fb8c75241278dde5d6fe8b66dbf0f5e3d490ed4ca66ef4a659d65c72fa1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b1b3d0462153da41cf01735390211f59 |
| SHA1 | 214860d911b5be901036fc7bb69913a5cbb86c70 |
| SHA256 | 9bce46337dcb1f2282fa259130df0b3bbcbe237551744af46a86ca52342b31ed |
| SHA512 | c6601be775b18a3b58eada9ba8eb4d27d161130b589697a966cc1462bfd2889a2c26c54743993a7efb4b95781d23dfe0ea6db7d24e453a2aae13f7f79d4dcaad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 9e62365be47b0aab77ce92df70c013d2 |
| SHA1 | 861b28f134b3f53263160e1b2aead003351c60c9 |
| SHA256 | c857b3c4797f24c5227f2f354758195defae244c6fd587c8e02f0c7d4d665c80 |
| SHA512 | 516a42ab745bbc75864b5322975164f1ab3e8aaf23f84b86eb89dcd7636062eb41e9c47b1672fd5c508821793306fcbce8f6a2efb640ffcd4882f8d560dfc691 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e49fabb5c0f843978a779b71cb1cf8eb |
| SHA1 | 488d5bc88c8a26348a605c67fccb161551e78649 |
| SHA256 | a9825b73be9a2731d879f2d477a09a2bb7990d511626d34f26d10e6524912ea9 |
| SHA512 | 79ab6e118e4d440eaee10e486abb411ddee45191718688930bf9933d9bbfbde3c1bda6eae1769257f1df70db9df145d2291c71c664593a149e18272850216f31 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b8009c760ebb31158ffbef38b748374a |
| SHA1 | 02ef17bb074d4c7b3b8293b5fea2c0d83a2d2ed2 |
| SHA256 | 94e89b2ad393bc9d4bdd71805f1cb71b6257c7fe2b5aaa3348e08f43256e8556 |
| SHA512 | 356a79269950966a647027fbdbe6359a991aa62446ffcc4c3bcc96e45c428e81170907ce11257e0a4dce4ad857916f10a487d75a42814ac4b09b92835e71c7b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 774b3c097adca838e5e005809c79b926 |
| SHA1 | 3035a5591107b5737bb493a2bdce7a311b1721be |
| SHA256 | efca4e9ec5c178eef86e88f0dc06422ce00d9b1691e53dcd6207428889a0dbae |
| SHA512 | 31580bae3fb895c7a5bd80c9d1b92cd3ac2e0ad8a242209b53b0b1ed866d40d4d56dac29f5bb46e674bcbbad50834578d99ee8186fafe45b01b9a2788605c629 |
memory/5596-864-0x0000000000400000-0x000000000298D000-memory.dmp
memory/5304-885-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5360-919-0x0000000000400000-0x000000000298D000-memory.dmp
memory/5304-948-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/5360-985-0x0000000000400000-0x000000000298D000-memory.dmp
memory/5304-1003-0x0000000000400000-0x00000000005F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/4428-1046-0x0000000000400000-0x000000000298D000-memory.dmp
memory/5304-1085-0x0000000000400000-0x00000000005F1000-memory.dmp
memory/4428-1086-0x0000000000400000-0x000000000298D000-memory.dmp