Analysis Overview
SHA256
5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Fabookie
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect Fabookie payload
Windows security bypass
Gozi
UAC bypass
Glupteba
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Drops file in Drivers directory
Windows security modification
Loads dropped DLL
Checks computer location settings
UPX packed file
Drops startup file
Checks BIOS information in registry
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Detected potential entity reuse from brand microsoft.
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Kills process with taskkill
Runs net.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-05 19:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-05 19:14
Reported
2023-10-05 19:17
Platform
win7-20230831-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gozi
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
| PID 2964 created 1264 | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | C:\Windows\Explorer.EXE |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4zMTSm3gxXkFvRfw8WDRhExh.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q4sUOvTYLQTDxbY0BbaBqrBf.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X6GfYddaEsbCgpnOuFIfxpri.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mUG9xbucayIDxMR0WXCLZqaP.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dOYkT2Q65mDuvfhGKgaSomNU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POtkX5ZlhAkDs5zAS9RDEZaz.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqXGdUmv4HQdqA2fZNVpHrco.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PzuYn4t9HI9UVfcvd2Bn3Ha5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxfwWMZr5ErOkIMJH9n3hpgn.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3Zr6PO5T2y6OxRu7A1C1pjjC.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7QYkqJxLb3LN46njFM3I5iZ8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2544 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\OSNMount\is-1K6TK.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files (x86)\OSNMount\is-MKIG4.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files (x86)\OSNMount\is-NUV5D.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files (x86)\OSNMount\is-1MO6O.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files (x86)\OSNMount\is-V134K.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| File created | C:\Program Files (x86)\OSNMount\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\OSNMount\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\OSNMount\OSNMount.exe | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
| File created | C:\Program Files (x86)\OSNMount\is-6GG4P.tmp | C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\cmd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
C:\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe
"C:\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe"
C:\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe
"C:\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe"
C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
"C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe"
C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe
"C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe"
C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe
"C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe"
C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe
"C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe"
C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
"C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe"
C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp" /SL4 $7011C "C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe" 2846236 52224
C:\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe
"C:\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe"
C:\Users\Admin\AppData\Local\Temp\is-NKOFR.tmp\lAncCPnYD69gGR3nf3UzF4Ej.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NKOFR.tmp\lAncCPnYD69gGR3nf3UzF4Ej.tmp" /SL5="$5017A,491750,408064,C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe"
C:\Users\Admin\Pictures\gD1meB0RVsTHselxIFLnm5f0.exe
"C:\Users\Admin\Pictures\gD1meB0RVsTHselxIFLnm5f0.exe" --silent --allusers=0
C:\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
"C:\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
.\Install.exe
C:\Program Files (x86)\OSNMount\OSNMount.exe
"C:\Program Files (x86)\OSNMount\OSNMount.exe" -i
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 29
C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
.\Install.exe /DdidCJjeH "385120" /S
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 29
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe
"C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe"
C:\Program Files (x86)\OSNMount\OSNMount.exe
"C:\Program Files (x86)\OSNMount\OSNMount.exe" -s
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\System32\sc.exe
sc stop dosvc
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "5c2ZUe5XRuv4rMSE5lPwFZoe.exe" /f & erase "C:\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe" & exit
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\is-T56HV.tmp\8758677____.exe
"C:\Users\Admin\AppData\Local\Temp\is-T56HV.tmp\8758677____.exe" /S /UID=lylal220
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "5c2ZUe5XRuv4rMSE5lPwFZoe.exe" /f
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPjdsbqpj" /SC once /ST 11:31:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPjdsbqpj"
C:\Windows\system32\taskeng.exe
taskeng.exe {ED30D200-4D23-4D7C-BD90-238D8D8149F5} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Program Files\Windows NT\NJWRBPYZAI\lightcleaner.exe
"C:\Program Files\Windows NT\NJWRBPYZAI\lightcleaner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-VQ0GE.tmp\lightcleaner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VQ0GE.tmp\lightcleaner.tmp" /SL5="$2020C,833775,56832,C:\Program Files\Windows NT\NJWRBPYZAI\lightcleaner.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\70-12140-74e-3b8b2-805776fc2944a\Buharizhaeso.exe
"C:\Users\Admin\AppData\Local\Temp\70-12140-74e-3b8b2-805776fc2944a\Buharizhaeso.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 384
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231005191532.log C:\Windows\Logs\CBS\CbsPersist_20231005191532.cab
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
"C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe"
C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
"C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPjdsbqpj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAutabDQFHrvmwrWbf" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\NvgdKaU.exe\" F9 /pVsite_idGdo 385120 /S" /V1 /F
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {5C137C4B-F60E-4CBC-85AE-2C363EB90411} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\NvgdKaU.exe
C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\NvgdKaU.exe F9 /pVsite_idGdo 385120 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOheimcOj" /SC once /ST 00:29:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOheimcOj"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOheimcOj"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gMHSQsNUu" /SC once /ST 09:12:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gMHSQsNUu"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| DE | 148.251.234.93:443 | yip.su | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | downloads.digitalpulsedata.com | udp |
| US | 8.8.8.8:53 | hbn42414.beget.tech | udp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 8.8.8.8:53 | drivelikea.com | udp |
| US | 8.8.8.8:53 | ji.fhauiehgha.com | udp |
| US | 8.8.8.8:53 | lancetjournal.com | udp |
| US | 8.8.8.8:53 | lycheepanel.info | udp |
| US | 8.8.8.8:53 | goboh2b.top | udp |
| RU | 87.236.19.5:80 | hbn42414.beget.tech | tcp |
| US | 8.8.8.8:53 | galandskiyher4.com | udp |
| US | 8.8.8.8:53 | flyawayaero.net | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 13.227.219.74:443 | downloads.digitalpulsedata.com | tcp |
| US | 188.114.97.0:443 | lancetjournal.com | tcp |
| US | 8.8.8.8:53 | grupoeca.co | udp |
| US | 85.217.144.143:80 | 85.217.144.143 | tcp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 188.114.96.0:443 | lancetjournal.com | tcp |
| NL | 194.169.175.127:80 | galandskiyher4.com | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 104.21.93.225:443 | flyawayaero.net | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| NL | 185.26.182.111:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.111:443 | net.geo.opera.com | tcp |
| US | 72.29.85.225:443 | grupoeca.co | tcp |
| US | 8.8.8.8:53 | winterhunter.org | udp |
| US | 104.21.20.38:443 | winterhunter.org | tcp |
| US | 8.8.8.8:53 | potatogoose.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 172.67.180.173:443 | potatogoose.com | tcp |
| HK | 103.100.211.218:80 | ji.fhauiehgha.com | tcp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| RU | 212.193.49.228:80 | goboh2b.top | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| US | 172.67.187.122:443 | lycheepanel.info | tcp |
| US | 8.8.8.8:53 | z.nnnaajjjgc.com | udp |
| US | 136.0.77.2:80 | link.storjshare.io | tcp |
| RU | 5.42.64.10:80 | 5.42.64.10 | tcp |
| MU | 156.236.72.121:443 | z.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | demo.seafile.com | udp |
| DE | 168.119.152.22:80 | demo.seafile.com | tcp |
| DE | 168.119.152.22:443 | demo.seafile.com | tcp |
| US | 8.8.8.8:53 | script.google.com | udp |
| DE | 172.217.23.206:80 | script.google.com | tcp |
| DE | 172.217.23.206:443 | script.google.com | tcp |
| US | 8.8.8.8:53 | script.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | script.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | m7val1dat0r.info | udp |
| US | 188.114.97.0:443 | m7val1dat0r.info | tcp |
| US | 8.8.8.8:53 | app.nnnaajjjgc.com | udp |
| HK | 154.221.26.108:80 | app.nnnaajjjgc.com | tcp |
| US | 8.8.8.8:53 | connectini.net | udp |
| GB | 91.109.116.11:443 | connectini.net | tcp |
| US | 8.8.8.8:53 | vibrator.s3.pl-waw.scw.cloud | udp |
| US | 8.8.8.8:53 | wewewe.s3.eu-central-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 8.8.8.8:53 | link.storjshare.io | udp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| US | 136.0.77.2:443 | link.storjshare.io | tcp |
| DE | 3.5.134.122:443 | wewewe.s3.eu-central-1.amazonaws.com | tcp |
| PL | 151.115.10.1:443 | vibrator.s3.pl-waw.scw.cloud | tcp |
| US | 8.8.8.8:53 | 360devtracking.com | udp |
| GB | 91.109.116.11:80 | 360devtracking.com | tcp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 275af430-a5ab-4a56-b16a-4e670c8db57c.uuid.parrotcare.net | udp |
| US | 8.8.8.8:53 | datasheet.fun | udp |
| US | 104.21.89.251:80 | datasheet.fun | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
Files
memory/2544-0-0x00000000009F0000-0x0000000000A52000-memory.dmp
memory/2544-1-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2544-2-0x00000000047D0000-0x0000000004810000-memory.dmp
memory/2544-3-0x00000000006A0000-0x00000000006EC000-memory.dmp
memory/2544-4-0x00000000003E0000-0x00000000003FA000-memory.dmp
memory/2568-7-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2568-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2544-13-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2568-12-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2568-14-0x0000000000640000-0x0000000000680000-memory.dmp
memory/3064-15-0x0000000002060000-0x00000000020A0000-memory.dmp
memory/3064-16-0x000000006F250000-0x000000006F7FB000-memory.dmp
memory/3064-17-0x000000006F250000-0x000000006F7FB000-memory.dmp
memory/3064-18-0x0000000002060000-0x00000000020A0000-memory.dmp
memory/3064-19-0x000000006F250000-0x000000006F7FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab62CA.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar62FC.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe
| MD5 | 74b2d6fb1c1f8429468cb315918ee7f6 |
| SHA1 | 5fae12c58852cead4403af10fc6affa153f4900c |
| SHA256 | c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac |
| SHA512 | 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f |
C:\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe
| MD5 | 74b2d6fb1c1f8429468cb315918ee7f6 |
| SHA1 | 5fae12c58852cead4403af10fc6affa153f4900c |
| SHA256 | c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac |
| SHA512 | 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f |
\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe
| MD5 | 74b2d6fb1c1f8429468cb315918ee7f6 |
| SHA1 | 5fae12c58852cead4403af10fc6affa153f4900c |
| SHA256 | c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac |
| SHA512 | 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f |
\Users\Admin\Pictures\5c2ZUe5XRuv4rMSE5lPwFZoe.exe
| MD5 | 74b2d6fb1c1f8429468cb315918ee7f6 |
| SHA1 | 5fae12c58852cead4403af10fc6affa153f4900c |
| SHA256 | c1914894e6e67a643e782c48a06ce290c5e42f3fff52862cee6ca41a683d61ac |
| SHA512 | 296973166f94a06da0133ead909ebbcf773a541540195c7f15ec9ca1f7bbb653dfd21500b37fd86bab68dac747b68a99cc10f3113c82e0183e6ae85364a4e64f |
\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe
| MD5 | 6eef09d9464b3feab08a9a27b7cde5f9 |
| SHA1 | 8e2ea545417f2e8e1d0c34abb71989ee413ec298 |
| SHA256 | f9773679f4ff3fe8ea0cae3e0d829853e693ad098161321e5c67fbc652bb5d19 |
| SHA512 | ee56f4908bb07bfdccc0dbc617d8a8946505107c0417e700d81834cbef1da2f551c8723b5e19de1dc47714229506407f9d7e9ed9958b980467590b95d671ca11 |
\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe
| MD5 | 6eef09d9464b3feab08a9a27b7cde5f9 |
| SHA1 | 8e2ea545417f2e8e1d0c34abb71989ee413ec298 |
| SHA256 | f9773679f4ff3fe8ea0cae3e0d829853e693ad098161321e5c67fbc652bb5d19 |
| SHA512 | ee56f4908bb07bfdccc0dbc617d8a8946505107c0417e700d81834cbef1da2f551c8723b5e19de1dc47714229506407f9d7e9ed9958b980467590b95d671ca11 |
C:\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe
| MD5 | 6eef09d9464b3feab08a9a27b7cde5f9 |
| SHA1 | 8e2ea545417f2e8e1d0c34abb71989ee413ec298 |
| SHA256 | f9773679f4ff3fe8ea0cae3e0d829853e693ad098161321e5c67fbc652bb5d19 |
| SHA512 | ee56f4908bb07bfdccc0dbc617d8a8946505107c0417e700d81834cbef1da2f551c8723b5e19de1dc47714229506407f9d7e9ed9958b980467590b95d671ca11 |
C:\Users\Admin\Pictures\TvoVJVpyp1KG1sPFQhBT1HTv.exe
| MD5 | 6eef09d9464b3feab08a9a27b7cde5f9 |
| SHA1 | 8e2ea545417f2e8e1d0c34abb71989ee413ec298 |
| SHA256 | f9773679f4ff3fe8ea0cae3e0d829853e693ad098161321e5c67fbc652bb5d19 |
| SHA512 | ee56f4908bb07bfdccc0dbc617d8a8946505107c0417e700d81834cbef1da2f551c8723b5e19de1dc47714229506407f9d7e9ed9958b980467590b95d671ca11 |
\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
| MD5 | 90ff59568349ed403a4a6eef391069dd |
| SHA1 | 695a8e63f06415ac825c95c10020747ca9073e36 |
| SHA256 | c47252c3a23f10e4adff71abdd32fbb8c803e90c0dec2feffec19a81264b8c53 |
| SHA512 | 9665df87a981ba6b38dc7b777ba7a11796381305d17f4b0e7b5cee1a88b147209d328a367ce5037b2f59130358fc0d7e37bd281dc52db02d2989576e5fda9f7c |
\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
| MD5 | 90ff59568349ed403a4a6eef391069dd |
| SHA1 | 695a8e63f06415ac825c95c10020747ca9073e36 |
| SHA256 | c47252c3a23f10e4adff71abdd32fbb8c803e90c0dec2feffec19a81264b8c53 |
| SHA512 | 9665df87a981ba6b38dc7b777ba7a11796381305d17f4b0e7b5cee1a88b147209d328a367ce5037b2f59130358fc0d7e37bd281dc52db02d2989576e5fda9f7c |
memory/1768-147-0x0000000004910000-0x0000000004D08000-memory.dmp
C:\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
| MD5 | 90ff59568349ed403a4a6eef391069dd |
| SHA1 | 695a8e63f06415ac825c95c10020747ca9073e36 |
| SHA256 | c47252c3a23f10e4adff71abdd32fbb8c803e90c0dec2feffec19a81264b8c53 |
| SHA512 | 9665df87a981ba6b38dc7b777ba7a11796381305d17f4b0e7b5cee1a88b147209d328a367ce5037b2f59130358fc0d7e37bd281dc52db02d2989576e5fda9f7c |
C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe
| MD5 | f54dcf71bd0999b45f788c9f23cf8f9a |
| SHA1 | b001ef98646c586d9044ad942142654e430dea72 |
| SHA256 | e602fe5f2a00387ddafc3905e29830fede66be3f4c586816c5b2ba241a387827 |
| SHA512 | 092a8aa1f485fead266a91844d23fc3670b88fce02df2b559da0435e0e29ed3521b3347c823daa93c98b185d43b729df60eede0597868b267e6c39c2632d8411 |
C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe
| MD5 | f54dcf71bd0999b45f788c9f23cf8f9a |
| SHA1 | b001ef98646c586d9044ad942142654e430dea72 |
| SHA256 | e602fe5f2a00387ddafc3905e29830fede66be3f4c586816c5b2ba241a387827 |
| SHA512 | 092a8aa1f485fead266a91844d23fc3670b88fce02df2b559da0435e0e29ed3521b3347c823daa93c98b185d43b729df60eede0597868b267e6c39c2632d8411 |
memory/2232-165-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
C:\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe
| MD5 | f54dcf71bd0999b45f788c9f23cf8f9a |
| SHA1 | b001ef98646c586d9044ad942142654e430dea72 |
| SHA256 | e602fe5f2a00387ddafc3905e29830fede66be3f4c586816c5b2ba241a387827 |
| SHA512 | 092a8aa1f485fead266a91844d23fc3670b88fce02df2b559da0435e0e29ed3521b3347c823daa93c98b185d43b729df60eede0597868b267e6c39c2632d8411 |
\Users\Admin\Pictures\uSyRdfTGWztDScGOgIa2xvLq.exe
| MD5 | f54dcf71bd0999b45f788c9f23cf8f9a |
| SHA1 | b001ef98646c586d9044ad942142654e430dea72 |
| SHA256 | e602fe5f2a00387ddafc3905e29830fede66be3f4c586816c5b2ba241a387827 |
| SHA512 | 092a8aa1f485fead266a91844d23fc3670b88fce02df2b559da0435e0e29ed3521b3347c823daa93c98b185d43b729df60eede0597868b267e6c39c2632d8411 |
\Users\Admin\Pictures\GIzUBPHzpnjz07MH5j2plr7i.exe
| MD5 | 90ff59568349ed403a4a6eef391069dd |
| SHA1 | 695a8e63f06415ac825c95c10020747ca9073e36 |
| SHA256 | c47252c3a23f10e4adff71abdd32fbb8c803e90c0dec2feffec19a81264b8c53 |
| SHA512 | 9665df87a981ba6b38dc7b777ba7a11796381305d17f4b0e7b5cee1a88b147209d328a367ce5037b2f59130358fc0d7e37bd281dc52db02d2989576e5fda9f7c |
\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
C:\Users\Admin\Pictures\OkGU7rS6GnFStqdxYy2QxvKR.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
| MD5 | 1c86f687cb15ba854d847f07d2f8e2be |
| SHA1 | 20b2b70a9045a88198dfa3fdf76a4a469f395391 |
| SHA256 | ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f |
| SHA512 | 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9 |
C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
| MD5 | 1c86f687cb15ba854d847f07d2f8e2be |
| SHA1 | 20b2b70a9045a88198dfa3fdf76a4a469f395391 |
| SHA256 | ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f |
| SHA512 | 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9 |
\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
| MD5 | 1c86f687cb15ba854d847f07d2f8e2be |
| SHA1 | 20b2b70a9045a88198dfa3fdf76a4a469f395391 |
| SHA256 | ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f |
| SHA512 | 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9 |
memory/2844-183-0x0000000000400000-0x000000000046A000-memory.dmp
\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
C:\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
\Users\Admin\Pictures\VfzR0Sr0ZzdUIR4yxyWi9ZjN.exe
| MD5 | 6e45986a505bed78232a8867b5860ea6 |
| SHA1 | 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c |
| SHA256 | c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829 |
| SHA512 | d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde |
memory/2568-185-0x0000000074270000-0x000000007495E000-memory.dmp
C:\Users\Admin\Pictures\hZMK3OH2E67ZXCmqxCRDKHUd.exe
| MD5 | 1c86f687cb15ba854d847f07d2f8e2be |
| SHA1 | 20b2b70a9045a88198dfa3fdf76a4a469f395391 |
| SHA256 | ee05a184d75907ae050bd3855a61609fa2569a96f1a2be38986e853afa9d049f |
| SHA512 | 66a27ce361db7f99ed4e3116d1ece028a0cf09165156a06c3a6b8e67f2ea75a994216756eb515f7b5d8aca6e1d9057f1edfeb962b7ab16a33d4eeba725aec1a9 |
memory/648-188-0x00000000048A0000-0x0000000004C98000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp
| MD5 | f1b5055e1e80bf52a48683f85f9298ef |
| SHA1 | 26976cc0c690693084466d185c5e84da9870a778 |
| SHA256 | 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50 |
| SHA512 | 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef |
C:\Users\Admin\Pictures\lAncCPnYD69gGR3nf3UzF4Ej.exe
| MD5 | 6172d07e0711bc23642c3b6b86e4fec7 |
| SHA1 | c49a6bb96d15baa7d58ff9808c3311454959157b |
| SHA256 | 5bd34cee3edff3bedc453b25875218a4903a26c464159630514fb464c41ec4d6 |
| SHA512 | 4374911d24f78fa501c7a015eb95c57f52192e47c5b9b9eeb6b972eb3e11c59e471d69aa97af619409fd5aa6e809c6c5310aa967b6aab69eeb40dc90131f076b |
memory/2844-203-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp
| MD5 | f1b5055e1e80bf52a48683f85f9298ef |
| SHA1 | 26976cc0c690693084466d185c5e84da9870a778 |
| SHA256 | 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50 |
| SHA512 | 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef |
memory/788-207-0x00000000FF6E0000-0x00000000FF7CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-NKOFR.tmp\lAncCPnYD69gGR3nf3UzF4Ej.tmp
| MD5 | 83827c13d95750c766e5bd293469a7f8 |
| SHA1 | d21b45e9c672d0f85b8b451ee0e824567bb23f91 |
| SHA256 | 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae |
| SHA512 | cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0 |
\Users\Admin\AppData\Local\Temp\is-NKOFR.tmp\lAncCPnYD69gGR3nf3UzF4Ej.tmp
| MD5 | 83827c13d95750c766e5bd293469a7f8 |
| SHA1 | d21b45e9c672d0f85b8b451ee0e824567bb23f91 |
| SHA256 | 8bd7e6b4a6be9f3887ac6439e97d3d3c8aaa27211d02ecbd925ab1df39afe7ae |
| SHA512 | cdbdd93fc637772b12bdedb59c4fb72a291da61e8c6b0061ad2f9448e8c949543f003646b1f5ce3e1e3aebc12de27409ddd76d3874b8f4f098163a1ff328b6f0 |
\Users\Admin\Pictures\gD1meB0RVsTHselxIFLnm5f0.exe
| MD5 | 1877068462d09959ea66f8613ee6098d |
| SHA1 | 37b0a23d3e12f94a3afc3e65841b4187e87d30fb |
| SHA256 | c6e6298f6c95f21d2b7141d77be401edf5cd628bd1289aa741074274d2595354 |
| SHA512 | 0918c1a3504eea4084a3303e320e74d68b28691dc4e517d3d422e338ede91955928d215a8754019771e9bae2151741b3ce2c91503705b7a29c6e939e4ba9b235 |
memory/2568-214-0x000000000B820000-0x000000000BD6D000-memory.dmp
C:\Users\Admin\Pictures\gD1meB0RVsTHselxIFLnm5f0.exe
| MD5 | 1877068462d09959ea66f8613ee6098d |
| SHA1 | 37b0a23d3e12f94a3afc3e65841b4187e87d30fb |
| SHA256 | c6e6298f6c95f21d2b7141d77be401edf5cd628bd1289aa741074274d2595354 |
| SHA512 | 0918c1a3504eea4084a3303e320e74d68b28691dc4e517d3d422e338ede91955928d215a8754019771e9bae2151741b3ce2c91503705b7a29c6e939e4ba9b235 |
C:\Users\Admin\Pictures\gD1meB0RVsTHselxIFLnm5f0.exe
| MD5 | 1877068462d09959ea66f8613ee6098d |
| SHA1 | 37b0a23d3e12f94a3afc3e65841b4187e87d30fb |
| SHA256 | c6e6298f6c95f21d2b7141d77be401edf5cd628bd1289aa741074274d2595354 |
| SHA512 | 0918c1a3504eea4084a3303e320e74d68b28691dc4e517d3d422e338ede91955928d215a8754019771e9bae2151741b3ce2c91503705b7a29c6e939e4ba9b235 |
memory/2352-217-0x0000000001260000-0x00000000017AD000-memory.dmp
\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
memory/880-218-0x0000000000770000-0x0000000000870000-memory.dmp
C:\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
C:\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
C:\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
\Users\Admin\AppData\Local\Temp\is-T56HV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-Q1285.tmp\is-FLROU.tmp
| MD5 | f1b5055e1e80bf52a48683f85f9298ef |
| SHA1 | 26976cc0c690693084466d185c5e84da9870a778 |
| SHA256 | 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50 |
| SHA512 | 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef |
\Users\Admin\AppData\Local\Temp\is-T56HV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-CBELP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-CBELP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-T56HV.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
\Users\Admin\AppData\Local\Temp\is-CBELP.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-CBELP.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
\Users\Admin\Pictures\LOarvleRXbsD4EnBkrW8Z1Wm.exe
| MD5 | 6476ef8de333d5810032a4ee90b0f97b |
| SHA1 | 08026561b27f18df03624b176b42cc5e90809ed7 |
| SHA256 | 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c |
| SHA512 | 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13 |
memory/880-247-0x0000000000220000-0x000000000025E000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
memory/880-255-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2276-265-0x0000000000240000-0x0000000000241000-memory.dmp
memory/988-266-0x00000000003D0000-0x00000000003D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Opera_installer_2310051914531772352.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
C:\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
C:\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
\Users\Admin\AppData\Local\Temp\7zS8A84.tmp\Install.exe
| MD5 | dfc1d238d066adf23a2caa48b0154e2c |
| SHA1 | 8faefdab9d82683173b0be1cf03b5b2135e5e83e |
| SHA256 | 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5 |
| SHA512 | 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d |
memory/2964-295-0x000000013F400000-0x000000013F943000-memory.dmp
memory/2844-304-0x0000000000400000-0x000000000046A000-memory.dmp
C:\Program Files (x86)\OSNMount\OSNMount.exe
| MD5 | 016e672371a4716f6f7b5f14a0d22006 |
| SHA1 | 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01 |
| SHA256 | 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc |
| SHA512 | 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110 |
memory/988-306-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/988-307-0x0000000003980000-0x0000000003BCD000-memory.dmp
memory/2232-305-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Program Files (x86)\OSNMount\OSNMount.exe
| MD5 | 016e672371a4716f6f7b5f14a0d22006 |
| SHA1 | 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01 |
| SHA256 | 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc |
| SHA512 | 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110 |
memory/1644-309-0x0000000000400000-0x000000000064D000-memory.dmp
\Program Files (x86)\OSNMount\OSNMount.exe
| MD5 | 016e672371a4716f6f7b5f14a0d22006 |
| SHA1 | 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01 |
| SHA256 | 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc |
| SHA512 | 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110 |
\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
memory/1680-323-0x0000000001EB0000-0x0000000002585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
C:\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
\Users\Admin\AppData\Local\Temp\7zS99C0.tmp\Install.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
memory/1432-338-0x00000000013C0000-0x0000000001A95000-memory.dmp
memory/2276-339-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2352-340-0x0000000001260000-0x00000000017AD000-memory.dmp
memory/1432-341-0x00000000013C0000-0x0000000001A95000-memory.dmp
memory/1432-342-0x00000000013C0000-0x0000000001A95000-memory.dmp
memory/1432-343-0x00000000008F0000-0x0000000000FC5000-memory.dmp
memory/1432-344-0x0000000010000000-0x0000000010571000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1721T1WU2LK6LZ4ZGOCL.temp
| MD5 | 5341f81c114c86697713558b2699ae77 |
| SHA1 | db194c0c6bdb22e876977cde825405a6ebf9b8c5 |
| SHA256 | 973371a3071bf0f6a24bf0d242c820be9f92754ac00a029a3f394eaa5412b503 |
| SHA512 | 64e0606ab3d49702914bf5186d1a806414b288de4e9a03e1664f8fdda0f69b1246fabbb4bb5c3dd107ac8243706e04b6faec76dbaab63eac766d347531df0423 |
\Users\Admin\Pictures\Opera_installer_2310051915013512352.dll
| MD5 | e23e7fc90656694198494310a901921a |
| SHA1 | 341540eaf106932d51a3ac56cb07eeb6924f5ebd |
| SHA256 | bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75 |
| SHA512 | d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d |
memory/2568-354-0x000000000B820000-0x000000000BD6D000-memory.dmp
memory/880-356-0x0000000000770000-0x0000000000870000-memory.dmp
memory/2148-357-0x000000001B320000-0x000000001B602000-memory.dmp
memory/2148-367-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
memory/1644-368-0x0000000000400000-0x000000000064D000-memory.dmp
C:\Program Files (x86)\OSNMount\OSNMount.exe
| MD5 | 016e672371a4716f6f7b5f14a0d22006 |
| SHA1 | 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01 |
| SHA256 | 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc |
| SHA512 | 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110 |
memory/2148-371-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/880-372-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2964-373-0x000000013F400000-0x000000013F943000-memory.dmp
memory/2148-380-0x0000000002770000-0x00000000027F0000-memory.dmp
memory/2148-381-0x0000000002770000-0x00000000027F0000-memory.dmp
memory/2148-382-0x0000000002770000-0x00000000027F0000-memory.dmp
memory/1644-374-0x0000000000400000-0x000000000064D000-memory.dmp
memory/2148-383-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/2148-386-0x0000000002770000-0x00000000027F0000-memory.dmp
\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Program Files (x86)\OSNMount\OSNMount.exe
| MD5 | 016e672371a4716f6f7b5f14a0d22006 |
| SHA1 | 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01 |
| SHA256 | 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc |
| SHA512 | 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110 |
memory/2248-413-0x0000000000E70000-0x000000000118C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54647193dbcc349ef8f37614b781ca52 |
| SHA1 | 0d99b641a311736867c603d10208a37d39b4e95c |
| SHA256 | 24980ddec830afd2a2a4b3b1d01a0e12c349d668e1c926b7afe3f85f5c4fad58 |
| SHA512 | a7d6bf97e7bf2f778b772a11c486563ca38ca26cf6a067962c44639adcb410611b4c78ce703e6ad6d0c36f407bbdc809a90d72d23503ec13abcf3600402b5080 |
C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
C:\Users\Admin\Pictures\PUp7Ca2ZLwoMlz64PypWsvIC.exe
| MD5 | 823b5fcdef282c5318b670008b9e6922 |
| SHA1 | d20cd5321d8a3d423af4c6dabc0ac905796bdc6d |
| SHA256 | 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d |
| SHA512 | 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472 |
memory/988-403-0x0000000003980000-0x0000000003BCD000-memory.dmp
memory/2148-415-0x000007FEF5460000-0x000007FEF5DFD000-memory.dmp
memory/2968-416-0x0000000000400000-0x000000000064D000-memory.dmp
memory/2248-414-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2276-417-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2352-421-0x0000000001260000-0x00000000017AD000-memory.dmp
memory/1432-422-0x00000000008F0000-0x0000000000FC5000-memory.dmp
memory/2968-423-0x0000000000400000-0x000000000064D000-memory.dmp
memory/2964-460-0x000000013F400000-0x000000013F943000-memory.dmp
memory/880-473-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2556-477-0x0000000001260000-0x00000000012E4000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 7af78ecfa55e8aeb8b699076266f7bcf |
| SHA1 | 432c9deb88d92ae86c55de81af26527d7d1af673 |
| SHA256 | f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e |
| SHA512 | 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e |
memory/2964-481-0x000000013F400000-0x000000013F943000-memory.dmp
memory/2556-489-0x00000000005E0000-0x0000000000642000-memory.dmp
memory/2556-501-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp
memory/2556-505-0x0000000001010000-0x000000000106E000-memory.dmp
memory/788-506-0x0000000002F80000-0x00000000030B1000-memory.dmp
memory/788-504-0x0000000002E00000-0x0000000002F71000-memory.dmp
memory/2556-507-0x0000000000410000-0x0000000000490000-memory.dmp
memory/2248-509-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2248-508-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2276-510-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2248-511-0x0000000000BE0000-0x0000000000C20000-memory.dmp
memory/2796-534-0x000007FEEDD00000-0x000007FEEE69D000-memory.dmp
memory/2796-543-0x0000000002430000-0x00000000024B0000-memory.dmp
memory/2796-544-0x000007FEEDD00000-0x000007FEEE69D000-memory.dmp
memory/2796-547-0x000000001B0F0000-0x000000001B3D2000-memory.dmp
memory/1036-555-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2556-557-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp
memory/1036-558-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1992-609-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1036-611-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2276-739-0x0000000000400000-0x0000000000513000-memory.dmp
memory/2844-741-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1576-746-0x0000000004A90000-0x0000000004E88000-memory.dmp
memory/648-748-0x0000000000400000-0x0000000002FB5000-memory.dmp
memory/560-744-0x0000000004800000-0x0000000004BF8000-memory.dmp
memory/1768-745-0x0000000000400000-0x0000000002FB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\NvgdKaU.exe
| MD5 | 4161dc37f51a8abe388ba9020848dd68 |
| SHA1 | c0df7765e93ba705aba079209e9a68a098a5e88a |
| SHA256 | 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b |
| SHA512 | e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c |
memory/1928-772-0x0000000000230000-0x0000000000250000-memory.dmp
memory/1192-771-0x000000013F580000-0x000000013FAC3000-memory.dmp
memory/2896-778-0x0000000004B60000-0x0000000004F58000-memory.dmp
memory/560-779-0x0000000000400000-0x0000000002FB5000-memory.dmp
memory/1576-781-0x0000000000400000-0x0000000002FB5000-memory.dmp
memory/2968-792-0x00000000021D0000-0x0000000002219000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-05 19:14
Reported
2023-10-05 19:17
Platform
win10v2004-20230915-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Detected potential entity reuse from brand microsoft.
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2800 set thread context of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe642b46f8,0x7ffe642b4708,0x7ffe642b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_state.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe642b46f8,0x7ffe642b4708,0x7ffe642b4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5771623818168417878,7621029681593155091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4744 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | learn.microsoft.com | udp |
| NL | 104.85.2.139:443 | learn.microsoft.com | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | js.monitor.azure.com | udp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 13.107.246.67:443 | js.monitor.azure.com | tcp |
| US | 8.8.8.8:53 | mscom.demdex.net | udp |
| IE | 34.249.203.210:443 | mscom.demdex.net | tcp |
| US | 8.8.8.8:53 | target.microsoft.com | udp |
| US | 8.8.8.8:53 | microsoftmscompoc.tt.omtrdc.net | udp |
| US | 8.8.8.8:53 | 67.246.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.203.249.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mdec.nelreports.net | udp |
| US | 2.18.121.71:443 | mdec.nelreports.net | tcp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | browser.events.data.microsoft.com | udp |
| US | 13.89.178.26:443 | browser.events.data.microsoft.com | tcp |
| US | 13.89.178.26:443 | browser.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
Files
memory/2800-0-0x00000000005E0000-0x0000000000642000-memory.dmp
memory/2800-1-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2800-2-0x00000000050C0000-0x000000000515C000-memory.dmp
memory/2800-3-0x0000000005890000-0x0000000005E34000-memory.dmp
memory/2800-4-0x00000000053E0000-0x0000000005472000-memory.dmp
memory/2800-5-0x0000000005700000-0x0000000005710000-memory.dmp
memory/2800-6-0x0000000004FC0000-0x0000000004FCA000-memory.dmp
memory/2800-7-0x0000000005280000-0x00000000052CC000-memory.dmp
memory/2800-8-0x0000000005690000-0x00000000056AA000-memory.dmp
memory/2092-9-0x0000000004E20000-0x0000000004E56000-memory.dmp
memory/3872-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2092-11-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2092-12-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/2092-14-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/2092-15-0x00000000055A0000-0x0000000005BC8000-memory.dmp
memory/2800-16-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2092-17-0x0000000005510000-0x0000000005532000-memory.dmp
memory/2092-18-0x0000000005D40000-0x0000000005DA6000-memory.dmp
memory/2092-19-0x0000000005DB0000-0x0000000005E16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qucmii5p.43m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2092-29-0x0000000005F20000-0x0000000006274000-memory.dmp
memory/2092-30-0x0000000006400000-0x000000000641E000-memory.dmp
memory/2092-31-0x00000000064A0000-0x00000000064EC000-memory.dmp
memory/2092-32-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/2092-33-0x00000000069D0000-0x0000000006A02000-memory.dmp
memory/2092-34-0x00000000708D0000-0x000000007091C000-memory.dmp
memory/2092-44-0x00000000069B0000-0x00000000069CE000-memory.dmp
memory/2092-45-0x0000000007400000-0x00000000074A3000-memory.dmp
memory/2092-46-0x0000000007D60000-0x00000000083DA000-memory.dmp
memory/2092-47-0x0000000007710000-0x000000000772A000-memory.dmp
memory/2092-48-0x0000000007790000-0x000000000779A000-memory.dmp
memory/2092-49-0x0000000007990000-0x0000000007A26000-memory.dmp
memory/2092-50-0x0000000007910000-0x0000000007921000-memory.dmp
memory/2092-51-0x0000000007940000-0x000000000794E000-memory.dmp
memory/2092-52-0x0000000007950000-0x0000000007964000-memory.dmp
memory/2092-53-0x0000000007A50000-0x0000000007A6A000-memory.dmp
memory/2092-54-0x0000000007A30000-0x0000000007A38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
memory/2092-61-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/2092-69-0x0000000075010000-0x00000000757C0000-memory.dmp
\??\pipe\LOCAL\crashpad_2272_ISQBGQYFUPLBMHRS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 691ed8956c651b451dc4bbfb8fc8e739 |
| SHA1 | f32cce16ad76c2a88f1e9e6e0a009617c29efe81 |
| SHA256 | f91cf7bf745a405cf3e0966a98dd6f4236b4a5fe856734139e77640b45ed80f1 |
| SHA512 | 8ddffa31c1ffeebbd97b12d4c0683ce8723a620f33c28be7a151c37bf12f1ffc4e1125d927e704e724ba584fd129a02d26908a882d69bcd270116a631be89bb8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | afdb58ad2b84c91290ac4da55790c028 |
| SHA1 | bade5d4ae0814eb055ddacb8b93d725dcf400c2e |
| SHA256 | 1d1845d5e43335ddc1565ea444feb0ec480ec623837d387a71acb782dd1290f3 |
| SHA512 | 0b94d847e7efa3340292f95f10cc4012e70deb6842b08b2676ef4cf798a947f72070da2341ff9a184e10afe5b4cb000d518e42b562ad8c64fc572d316bc8730f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 27da28cf1fa7987cafd29c16d90798ba |
| SHA1 | ee6d254b9cdf195baa7715ff2b90925b553493c6 |
| SHA256 | 6c1de7c906db9d323bebd4abbba180d3dd34e7ca34dcfc97c82da9ea1f8fcd8a |
| SHA512 | 1118b08a29769630eb0f5377c429d7d78c8e234301685efa211eeaafc087737a5bb89ac0a67cb84634851155e3933bda4976a4cadcc2ea240f356aa6cbda0db0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d555d038867542dfb2fb0575a0d3174e |
| SHA1 | 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0 |
| SHA256 | 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e |
| SHA512 | d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fdce4a86d5e18fe7f76e0f745186f47a |
| SHA1 | c4907d4918f515ece81142032a67e1cde95d468a |
| SHA256 | 6a054abe17d0304ab836a5f606a0c67f9b4fd458c9405c7d90e95c0737f87b37 |
| SHA512 | 1c9910148977356f3234742ce14bd89d61d9c33f87c140d9da0770f1a2580c17f73bc6a71efd94e5880332b8dd1291e103ba506e8b93fac1310ac9282eed8540 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3e8c582f85e027cd4101ff4bda3e33b8 |
| SHA1 | 843466317a29c87821807a583e8b9b9cc19e2cd7 |
| SHA256 | 0c7d2a915077de43be75a7e234bdb8a1e9acf2a5e86fe49c8508792aa5145ebd |
| SHA512 | 3f1f179984eece6744c980383b13762baf3bbcb8bdc41c287f58f4f8d21e2ccaedd589b1783e9773db6462f124251fafce9cf0c1c138a9407d9acd6ec02a0cb5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 02f477d4b1550f0bc0373b3c3644f7df |
| SHA1 | 146cf9a6e7f98ecb81e9e26cb5f10b02ad8925e6 |
| SHA256 | f627910343da8d19f1f56d5bbc1fb8bd2902ef9ac461770b8317914c12703d06 |
| SHA512 | 380d4a57e539ae1b4b6e5711969d9545a22c8f8aa639d5b5423d3adb03e8a8ef7a5bea26fbce4a3720b361cca8554aac98f3bd3bbc1969587d23e60b5409b797 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 05592d6b429a6209d372dba7629ce97c |
| SHA1 | b4d45e956e3ec9651d4e1e045b887c7ccbdde326 |
| SHA256 | 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd |
| SHA512 | caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa |