Malware Analysis Report

2025-08-05 22:19

Sample ID 231003-nbbrdsbh89
Target file
SHA256 bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a
Tags
healer dropper evasion persistence trojan amadey dcrat glupteba mystic redline smokeloader @ytlogsbot gigant jordan up3 backdoor discovery infostealer loader rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

healer dropper evasion persistence trojan amadey dcrat glupteba mystic redline smokeloader @ytlogsbot gigant jordan up3 backdoor discovery infostealer loader rat rootkit spyware stealer

DcRat

Glupteba

Glupteba payload

SmokeLoader

Healer

RedLine

RedLine payload

Mystic

Modifies Windows Defender Real-time Protection settings

Amadey

Detects Healer an antivirus disabler dropper

Modifies Windows Firewall

Downloads MZ/PE file

Windows security modification

Executes dropped EXE

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:12

Reported

2023-10-03 11:15

Platform

win7-20230831-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 900 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 2484 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1016 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 2608 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 900 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe
PID 2948 wrote to memory of 2628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 284

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

MD5 8d04e032bc6ad6b3ba2b7998e65e6f13
SHA1 66c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA256 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512 efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

MD5 8d04e032bc6ad6b3ba2b7998e65e6f13
SHA1 66c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA256 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512 efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

MD5 8d04e032bc6ad6b3ba2b7998e65e6f13
SHA1 66c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA256 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512 efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

memory/2708-38-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

memory/2708-39-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2708-40-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2708-41-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

memory/2948-48-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-49-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-50-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-51-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-52-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-53-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-55-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-54-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2948-59-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2948-57-0x0000000000400000-0x0000000000428000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-03 11:12

Reported

2023-10-03 11:15

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A

Mystic

stealer mystic

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\60BE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\587B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5967.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5D70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\60BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7B6B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\806D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\set16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\587B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-AOANR.tmp C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-MOCNE.tmp C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-IRUUL.tmp C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-5FBH1.tmp C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5E9A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe
PID 1096 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1096 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 1096 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe
PID 4988 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 4988 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 4988 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe
PID 1352 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 1352 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe
PID 1352 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 1352 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 1352 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1292 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4988 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
PID 4988 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
PID 4988 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3764 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1096 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
PID 1096 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
PID 1096 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4948 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
PID 760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
PID 760 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe
PID 4144 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe C:\Windows\system32\cmd.exe
PID 5096 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5096 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3780 wrote to memory of 2168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3780 wrote to memory of 2168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5096 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5096 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1588 wrote to memory of 4384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1292 -ip 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B4.tmp\3B5.tmp\3B6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\587B.exe

C:\Users\Admin\AppData\Local\Temp\587B.exe

C:\Users\Admin\AppData\Local\Temp\5967.exe

C:\Users\Admin\AppData\Local\Temp\5967.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B2D.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe

C:\Users\Admin\AppData\Local\Temp\5D70.exe

C:\Users\Admin\AppData\Local\Temp\5D70.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 432 -ip 432

C:\Users\Admin\AppData\Local\Temp\5E9A.exe

C:\Users\Admin\AppData\Local\Temp\5E9A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5180 -ip 5180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5368 -ip 5368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 600

C:\Users\Admin\AppData\Local\Temp\60BE.exe

C:\Users\Admin\AppData\Local\Temp\60BE.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5280 -ip 5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 148

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\7B6B.exe

C:\Users\Admin\AppData\Local\Temp\7B6B.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\806D.exe

C:\Users\Admin\AppData\Local\Temp\806D.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp

"C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp" /SL4 $30262 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 95.214.25.204:80 95.214.25.204 tcp
NL 89.208.107.31:80 tcp
US 8.8.8.8:53 204.25.214.95.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
MD 176.123.4.46:33783 tcp
US 8.8.8.8:53 46.4.123.176.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 95442095-c51e-4847-b1dd-05ff3c4f1dea.uuid.ramboclub.net udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server8.ramboclub.net udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.48:443 server8.ramboclub.net tcp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 mastertryprice.com udp
US 104.21.37.186:443 mastertryprice.com tcp
US 8.8.8.8:53 127.204.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 48.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 186.37.21.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 251.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe

MD5 0f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1 a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256 d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA512 68c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe

MD5 eaf5703824f4cd6826d0b72d5d4858be
SHA1 ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA256 1eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512 b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe

MD5 270fed371af6acb335e5177f1d654d85
SHA1 c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256 f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA512 28a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

MD5 8d04e032bc6ad6b3ba2b7998e65e6f13
SHA1 66c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA256 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512 efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe

MD5 8d04e032bc6ad6b3ba2b7998e65e6f13
SHA1 66c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA256 90ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512 efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3

memory/2636-28-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/2636-29-0x00007FFEF6760000-0x00007FFEF7221000-memory.dmp

memory/2636-31-0x00007FFEF6760000-0x00007FFEF7221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe

MD5 890f04e0a2f7f9b29f432ae5d7829143
SHA1 ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256 f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA512 0479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b

memory/4980-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4980-36-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4980-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4980-39-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe

MD5 795944457f25ee822611f7e0e516ac1e
SHA1 7363da5dd6b7175efa8d815e4fec55ff1670717a
SHA256 30a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7
SHA512 95c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe

MD5 795944457f25ee822611f7e0e516ac1e
SHA1 7363da5dd6b7175efa8d815e4fec55ff1670717a
SHA256 30a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7
SHA512 95c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f

memory/3900-43-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3900-44-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe

MD5 f076f5cd08dd7d24d0e82a03ac936d64
SHA1 0726d218b7507e7cc120168fe815526f7762f562
SHA256 67db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874
SHA512 3b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe

MD5 f076f5cd08dd7d24d0e82a03ac936d64
SHA1 0726d218b7507e7cc120168fe815526f7762f562
SHA256 67db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874
SHA512 3b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1

memory/3616-48-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3616-49-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3616-50-0x0000000008280000-0x0000000008824000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe

MD5 4ebbad6aee33844e33bf065fc7f9c295
SHA1 c07ae3a150d9dbbda4af182eb33c543b90f278b4
SHA256 9ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff
SHA512 b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121

memory/3616-53-0x0000000007DC0000-0x0000000007E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe

MD5 4ebbad6aee33844e33bf065fc7f9c295
SHA1 c07ae3a150d9dbbda4af182eb33c543b90f278b4
SHA256 9ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff
SHA512 b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121

memory/3616-56-0x0000000007F60000-0x0000000007F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3B4.tmp\3B5.tmp\3B6.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

memory/3616-58-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

memory/3616-59-0x0000000008E50000-0x0000000009468000-memory.dmp

memory/3616-60-0x0000000008170000-0x000000000827A000-memory.dmp

memory/3616-61-0x00000000080A0000-0x00000000080B2000-memory.dmp

memory/3616-62-0x0000000008100000-0x000000000813C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c126b33f65b7fc4ece66e42d6802b02e
SHA1 2a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256 ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512 eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822

memory/3616-66-0x0000000008830000-0x000000000887C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

\??\pipe\LOCAL\crashpad_1588_BKBXBGREAFBPNUUY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_3780_ZRKOXNIDMCLFROTT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba126223517b49e951ce2ac5f53c7a8f
SHA1 bf8030b86ddab2e9ec75cda0caead93431d9f4ba
SHA256 f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583
SHA512 0b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a59f07c2202deb39b2abde57c6df6085
SHA1 312d5dbfe68ca12f947a2dd44d68362d3d6c9b90
SHA256 4c5b5b1a6bf15d9a9eb0d1a07580532a6c7903e360a48321b466d4a49f1a6bab
SHA512 e2103d17e13acd80f2012003c7af70ad569d8ba7ab0adc0e539d3d1605faa30d62cded16b1d8d45d08eb296aee6eb62a0237b4a8efee1ddba7df595319bc9ec1

memory/3180-124-0x0000000008230000-0x0000000008246000-memory.dmp

memory/3900-126-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3616-222-0x0000000073C80000-0x0000000074430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba126223517b49e951ce2ac5f53c7a8f
SHA1 bf8030b86ddab2e9ec75cda0caead93431d9f4ba
SHA256 f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583
SHA512 0b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a73a3cab6d00f4e33a0ea5b77d83c4b3
SHA1 292c8a34e8d713389853eaa97b1c75915104bc7f
SHA256 694b4024a42ab399c7448bdc85f0073ec7d5e752aac4dbe67c4354c7f2ba6843
SHA512 265a790de2d67c8274b9389445536eb1faaa8afdd63dec7e71712e4cd46011b511691dcbb9e7aab52bbaa18e9b6c91e136ed0380cb785c696a9d4a797a4b6b40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f364ba46e73fefb452bc6694e331b0f6
SHA1 1a86391480685cfb5ca064234a57fc7ca9c6560b
SHA256 34053fcb1101bb79e5dbc7e797614f68e43502f310576ad3c8a6c6631041f87a
SHA512 f7deb47912ea90f5fbd1d4cd4e479e1d73b79ac9420b5f794adfde07a1dff8cf552604b5e3d5185e0cb48486b6f53b96c6ab20d757ed7077ddd0c58ee79b59b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6dcb90ba1ba8e06c1d4f27ec78f6911a
SHA1 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA256 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512 dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\587B.exe

MD5 58f0d05dc318fb27da641c03fa4d664d
SHA1 daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA256 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA512 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7

C:\Users\Admin\AppData\Local\Temp\587B.exe

MD5 58f0d05dc318fb27da641c03fa4d664d
SHA1 daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA256 3f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA512 9ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7

C:\Users\Admin\AppData\Local\Temp\5967.exe

MD5 0b5d6ef3c97a9e982265f7af225e5a9c
SHA1 1997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256 fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA512 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6qe08pX.exe

MD5 5235caae76d02f5952194d9ca29b3b03
SHA1 c5d28760e6bbb69298904aa1f9bf9ba777b23697
SHA256 c82317a752e64d5d09b5d4ca0a517c625141a50c535a2bd0b6148d18306632dc
SHA512 601ed5535bedad1b3eece71ac74580e57c4f375c7eb714a4efe0ad53b3fc4fcce19a2e9d317fd71896ca80825f573abf594579ee9f0f3885c8944507d72797d7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

MD5 66c3517503dc4974307fec6ffa661d5a
SHA1 7c371312352f3335f55053e19ed5138b355a81b4
SHA256 bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA512 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe

MD5 66c3517503dc4974307fec6ffa661d5a
SHA1 7c371312352f3335f55053e19ed5138b355a81b4
SHA256 bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA512 86d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe

MD5 49aafacee476804694b089564753232a
SHA1 e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA512 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe

MD5 49aafacee476804694b089564753232a
SHA1 e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256 802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA512 30be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c

C:\Users\Admin\AppData\Local\Temp\5967.exe

MD5 0b5d6ef3c97a9e982265f7af225e5a9c
SHA1 1997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256 fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA512 71784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe

MD5 9014a0234d2c58ee7cf349c19e148c3b
SHA1 53b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA256 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA512 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe

MD5 9014a0234d2c58ee7cf349c19e148c3b
SHA1 53b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA256 5956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA512 42c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe

MD5 ad04538ac68bdbcdd4af15df754950df
SHA1 01a914d0ff62513dd29e5471a06262425b3587d0
SHA256 a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512 da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe

MD5 ad04538ac68bdbcdd4af15df754950df
SHA1 01a914d0ff62513dd29e5471a06262425b3587d0
SHA256 a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512 da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe

MD5 94fe8c5b20737216593756185af3492c
SHA1 8eead059a52929964e302ea5b368b979839c2cac
SHA256 de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA512 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340

C:\Users\Admin\AppData\Local\Temp\5B2D.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe

MD5 94fe8c5b20737216593756185af3492c
SHA1 8eead059a52929964e302ea5b368b979839c2cac
SHA256 de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA512 4105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340

C:\Users\Admin\AppData\Local\Temp\5D70.exe

MD5 0e6557057a1d9769a7cc3b4f670fdde5
SHA1 8870b8d7db588dd57b416e474875b908517cbedb
SHA256 aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA512 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40

memory/5328-308-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5328-309-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5328-312-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D70.exe

MD5 0e6557057a1d9769a7cc3b4f670fdde5
SHA1 8870b8d7db588dd57b416e474875b908517cbedb
SHA256 aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA512 13a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40

memory/5368-319-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5384-320-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp

memory/5368-318-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5384-317-0x0000000000130000-0x000000000013A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60BE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/5368-322-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E9A.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\5E9A.exe

MD5 cb71132b03f15b037d3e8a5e4d9e0285
SHA1 95963fba539b45eb6f6acbd062c48976733519a1
SHA256 7f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512 d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a

C:\Users\Admin\AppData\Local\Temp\60BE.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/5328-335-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5752-337-0x0000000073C80000-0x0000000074430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 db9dbef3f8b1f616429f605c1ebca2f0
SHA1 ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA256 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA512 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

memory/5752-353-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe

MD5 e748f885cdee27913e4462d9db102166
SHA1 b242938a5bdec37c2f831054992c48246e0bcb3c
SHA256 9403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2
SHA512 d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe

MD5 e748f885cdee27913e4462d9db102166
SHA1 b242938a5bdec37c2f831054992c48246e0bcb3c
SHA256 9403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2
SHA512 d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363

memory/5424-436-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/5424-435-0x00000000002A0000-0x00000000002DE000-memory.dmp

memory/5424-446-0x00000000072C0000-0x00000000072D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 afcd732d6449e6fe0b7a609ff70fae92
SHA1 a07fb77916ad41d01c5c42b919d6a11bc52aeded
SHA256 46e539775ce92f4ea0498cc1b7ab19041cf1e9f1254b838e390b0b112e2879f9
SHA512 6e6f90048d0077a13a1e2afdff09fde3dc00ee5e4c65e32386585d28bbb333600623dc88d7aaed3fa0525ea5c44d43b9750a4f1d82462ccbca651f2f108704d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587a7a.TMP

MD5 f35d05b970a245b6ebdd23acdb77597c
SHA1 f59b4e8dd6e306eceb06287e9b80458fc380ccc4
SHA256 09d6fb3c16239dac69e16cb09122f7071f2bae9f22101d50db3384b297fd0733
SHA512 dcae5b80ba09e50a36e5446612b6ff433996d93d884a179d8530bca06e817e5dd8d386a6b7aa2e16ad4ac64dbe9646fa7a1423a703ef688bc6b5147842b42e11

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 83330cf6e88ad32365183f31b1fd3bda
SHA1 1c5b47be2b8713746de64b39390636a81626d264
SHA256 7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512 e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 528b5dc5ede359f683b73a684b9c19f6
SHA1 8bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA256 3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA512 87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

memory/5672-497-0x00007FF663ED0000-0x00007FF663F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7ea584dc49967de03bebdacec829b18d
SHA1 3d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA256 79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512 ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/5880-518-0x00000000002B0000-0x0000000000424000-memory.dmp

memory/5200-520-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5384-519-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp

memory/5432-522-0x00000000025F0000-0x00000000026F0000-memory.dmp

memory/5432-523-0x0000000002730000-0x0000000002739000-memory.dmp

memory/5200-525-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5880-526-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/5516-529-0x0000000000EA0000-0x000000000105D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fa7ccb55f138d3fa34ba083cb6672e5d
SHA1 5a3195f0f985ebd86a3b02c73b3c339deb16f15a
SHA256 041f469256e1389154971241e32a001e8dd3dab8f902a44ab7d275309ef6b0d5
SHA512 6347f8f61db02ec9165fdebea5d0863b52f1a8d2a54329f863272d2446d77a3be789c2c1d6cdb167b38412597c4964d2484d7723a162abf3d50710e899ff2f96

memory/5752-546-0x0000000073C80000-0x0000000074430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/5596-549-0x0000000004710000-0x0000000004B10000-memory.dmp

memory/6104-548-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/5596-555-0x0000000004B10000-0x00000000053FB000-memory.dmp

memory/4092-563-0x0000000000540000-0x0000000000548000-memory.dmp

memory/5880-565-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/5412-578-0x0000000000B70000-0x0000000000BA0000-memory.dmp

memory/5596-579-0x0000000000400000-0x000000000298D000-memory.dmp

memory/4092-584-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

memory/5516-586-0x0000000000EA0000-0x000000000105D000-memory.dmp

memory/5516-602-0x0000000000EA0000-0x000000000105D000-memory.dmp

memory/5412-599-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

memory/5412-605-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/3196-606-0x0000000000710000-0x0000000000711000-memory.dmp

memory/5752-597-0x0000000007EC0000-0x0000000007ED0000-memory.dmp

memory/4092-608-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp

memory/5384-596-0x00007FFEF2260000-0x00007FFEF2D21000-memory.dmp

memory/5464-609-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5464-612-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5424-616-0x00000000072C0000-0x00000000072D0000-memory.dmp

memory/5412-615-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/5424-614-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/5304-619-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/6104-589-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5304-629-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5200-631-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-630-0x0000000002910000-0x0000000002926000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 59a9abbe7f411ab441df459f4f74ee7e
SHA1 fd7ad280579e7cf4a815d03c92577e0c10888522
SHA256 fe529b7de29f85f6ca10a510a2b17da919e408ff6ef296796b121b0c9dfe73e6
SHA512 7e5bede28e54591ed2bf816ec22a8be135617b77dc7e00ea9b90bd69f2e88e19f461d0dfb437920246b5ab1d19997f4b344b706ee587dcc96928157dd1cbc2bf

memory/1516-646-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/5412-647-0x00000000057A0000-0x0000000005816000-memory.dmp

memory/5596-645-0x0000000000400000-0x000000000298D000-memory.dmp

memory/1516-648-0x0000000005590000-0x0000000005BB8000-memory.dmp

memory/5412-649-0x0000000005960000-0x00000000059C6000-memory.dmp

memory/1516-651-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/1516-650-0x0000000073C80000-0x0000000074430000-memory.dmp

memory/1516-662-0x0000000002F00000-0x0000000002F10000-memory.dmp

memory/1516-661-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

memory/1516-669-0x0000000005D60000-0x0000000005DC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdh5kq1k.qjb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3196-677-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 870de09e623182cec5e186354874be2a
SHA1 82837ba800b0821d44fd04f07394c328c3b8530d
SHA256 f62fda7162b085bbf2b49426a6ede252485a0f4b5a3701879c3f853540439ff6
SHA512 86dd264f6c6b71ac2922d5b1f71c3a5c4a096e9839c7c5696ea52f60dfcab051dd9b5fb8c75241278dde5d6fe8b66dbf0f5e3d490ed4ca66ef4a659d65c72fa1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1b3d0462153da41cf01735390211f59
SHA1 214860d911b5be901036fc7bb69913a5cbb86c70
SHA256 9bce46337dcb1f2282fa259130df0b3bbcbe237551744af46a86ca52342b31ed
SHA512 c6601be775b18a3b58eada9ba8eb4d27d161130b589697a966cc1462bfd2889a2c26c54743993a7efb4b95781d23dfe0ea6db7d24e453a2aae13f7f79d4dcaad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9e62365be47b0aab77ce92df70c013d2
SHA1 861b28f134b3f53263160e1b2aead003351c60c9
SHA256 c857b3c4797f24c5227f2f354758195defae244c6fd587c8e02f0c7d4d665c80
SHA512 516a42ab745bbc75864b5322975164f1ab3e8aaf23f84b86eb89dcd7636062eb41e9c47b1672fd5c508821793306fcbce8f6a2efb640ffcd4882f8d560dfc691

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e49fabb5c0f843978a779b71cb1cf8eb
SHA1 488d5bc88c8a26348a605c67fccb161551e78649
SHA256 a9825b73be9a2731d879f2d477a09a2bb7990d511626d34f26d10e6524912ea9
SHA512 79ab6e118e4d440eaee10e486abb411ddee45191718688930bf9933d9bbfbde3c1bda6eae1769257f1df70db9df145d2291c71c664593a149e18272850216f31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b8009c760ebb31158ffbef38b748374a
SHA1 02ef17bb074d4c7b3b8293b5fea2c0d83a2d2ed2
SHA256 94e89b2ad393bc9d4bdd71805f1cb71b6257c7fe2b5aaa3348e08f43256e8556
SHA512 356a79269950966a647027fbdbe6359a991aa62446ffcc4c3bcc96e45c428e81170907ce11257e0a4dce4ad857916f10a487d75a42814ac4b09b92835e71c7b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 774b3c097adca838e5e005809c79b926
SHA1 3035a5591107b5737bb493a2bdce7a311b1721be
SHA256 efca4e9ec5c178eef86e88f0dc06422ce00d9b1691e53dcd6207428889a0dbae
SHA512 31580bae3fb895c7a5bd80c9d1b92cd3ac2e0ad8a242209b53b0b1ed866d40d4d56dac29f5bb46e674bcbbad50834578d99ee8186fafe45b01b9a2788605c629

memory/5596-864-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5304-885-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5360-919-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5304-948-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5360-985-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5304-1003-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4428-1046-0x0000000000400000-0x000000000298D000-memory.dmp

memory/5304-1085-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4428-1086-0x0000000000400000-0x000000000298D000-memory.dmp